IDEXX LABORATORIES INC /DE - (IDXX)

10-K Filing Date: February 22, 2024
ITEM 1C. CYBERSECURITY

Our Cybersecurity Risk Management Program

Like other companies, we currently inhabit an environment of increasing global cybersecurity vulnerabilities and threats. We aim to effectively assess, identify, and manage material risks from these cybersecurity threats through our cybersecurity risk management program.

Our cybersecurity risk management program includes processes that incorporate and utilize certain principles from the National Institute of Standards and Technology (“NIST”) Cybersecurity Framework, the COBIT 2019 Framework and the IT Infrastructure Library (“ITIL”) Framework. The program aims to protect and preserve the security, availability, integrity, confidentiality, and privacy of our information systems and information residing on those systems and includes controls and procedures for the prevention, identification, containment, and remediation of cybersecurity threats through the use of various technologies, tools, policies, standards, and practices. Features of our cybersecurity risk management program include:

An expectation, set forth in our Code of Ethics, that all employees are responsible for protecting our data, operations and environment from unauthorized access and use;
Regular cybersecurity risk assessments and benchmarking;
Policies and processes related to the detection and reporting of and response to cybersecurity events;
Cybersecurity training for all newly hired employees upon onboarding;
Individualized, biannual employee information security assessments, coupled with tailored follow-on employee trainings;
Phishing tests conducted at least quarterly on a global basis, with additional periodic phishing tests conducted with high-risk employee groups;
Channels for employees to report suspicious emails or other activity and the actual or suspected loss, theft, improper use of or access to IDEXX systems or information;
Deployment and ongoing assessment of the effectiveness of technological tools aimed at preventing, detecting, and mitigating cybersecurity threats;
Policies and procedures to assess third-party service provider cybersecurity risks and security controls and measures (as part of our procurement process and periodically/regularly thereafter);
Performance of cybersecurity tabletop exercises;
Regular review of and, as applicable, updates to our cyber incident response plan and protocols, system backup measures, redundancy planning and disaster recovery plans; and
Maintenance of a cyber risk insurance policy to help address risk of loss due to certain types of cybersecurity events.
A review of cybersecurity risks is integrated into our annual enterprise risk assessment that occurs as part of our annual strategic planning process and is included in our quarterly disclosure controls and procedures. Our annual enterprise risk assessment process involves the identification and assessment by senior line-of-business and functional leaders, as well as our Chief Information Security Officer (“CISO”) and Chief Information Officer (“CIO”), of the risks relevant to their lines of business and functional areas, the materiality of those risks, our risk tolerances and our plans to manage and mitigate the risks to the extent prudent and feasible.

From time to time, we engage third parties, including assessors, consultants, legal counsel, and others to conduct penetration testing, assess our program, provide recommendations for improvement, and advise us on best practices.

33


Material Effects from Risks of Cybersecurity Threats

We do not believe any risks from cybersecurity threats (including from any prior cybersecurity incidents) have materially affected or are reasonably likely to materially affect us, including our business strategy, results of operations, or financial condition. There can be no assurances, however, that we or our business partners or suppliers will not experience a future system disruption, attack or security breach that materially impacts our business, operations, results of operations, or financial condition. For more information refer to “Item 1A. Risk Factors, General Risks, We are increasingly dependent on the continuous and reliable operation of our information technology systems, and a disruption of these systems or significant security breaches could adversely affect our business.”

Governance of our Cybersecurity Risk Management Program

Role of Management

Our cybersecurity risk management program and activities are led by our CISO, who reports to Ken Grady, our Senior Vice President and CIO, and oversees a team of information security professionals. At this time, Mr. Grady is our acting CISO while we are conducting a search to hire a new CISO. Mr. Grady, who joined IDEXX as our CIO in 2014, has more than twenty years of experience leading information technology teams, including cybersecurity teams, at healthcare companies. Our CIO is responsible for our cybersecurity-related governance programs, overseeing testing of our compliance with standards and remediation of known risks, and leads our employee training program.

Our CIO and CISO are responsible for providing information regarding our cybersecurity risk management program, as well as cybersecurity risks and incidents, to a senior management-level cybersecurity steering committee. Within our cybersecurity risk governance model, the steering committee, which includes our CIO, CISO, General Counsel, Chief Compliance Officer, Chief Audit Executive, Chief Human Resources Officer and other senior functional and business leaders, meets quarterly, and more frequently as warranted, to review and discuss, among other things, cybersecurity risk assessments, prioritization of initiatives, training plans and incident response plan, protocols and testing. This committee regularly provides updates on its discussions and decisions to our Chief Executive Officer.

Role of the Board of Directors

In December 2023, the Board delegated responsibility for overseeing our cybersecurity risk management to the Audit Committee. In accordance with the Audit Committee’s charter, the Audit Committee will at least annually review and discuss with management, including the CIO and CISO, our processes, policies, procedures, and protocols related to cybersecurity and information security, and it is anticipated that the full Board will participate in this annual review. In addition, in accordance with the Audit Committee’s charter, the Audit Committee will throughout the year regularly review and discuss with management, including the CIO and CISO, cybersecurity program assessments and audits, planned improvements and the status of any information security initiatives, as well as risks from cybersecurity threats pertinent to us and any previous cybersecurity incidents experienced by us, including any material impact or reasonably likely material impact on the Company, our business strategy, results of operations, or financial condition. The Audit Committee will provide reports to the Board at each regularly scheduled Board meeting of the matters it has recently addressed, including relating to the oversight of our cybersecurity risk management, and the full Board may participate from time to time, as warranted, in the Audit Committee’s sessions on cybersecurity risk management. Outside advisors also may meet from time to time with the Audit Committee or Board, as warranted, to review and discuss cybersecurity matters.

Prior to December 2023, our entire Board oversaw cybersecurity risk management, and our CIO and CISO reviewed our cybersecurity risks and risk management program and activities with the Board at least annually. The Board also received additional updates on changes in our cybersecurity risks and related risk management program and activities from time to time throughout the year, as warranted. Management also shared, and will continue to share, the results of our annual enterprise risk assessment, which includes a review of cybersecurity risk, with our full Board.
34