THERMO FISHER SCIENTIFIC INC. - (TMO)
10-K Filing Date: February 22, 2024
Item 1C. Cybersecurity
Cybersecurity Risk Management and Strategy
As is the case for most large global companies, we are regularly subject to cyberattacks and other cybersecurity incidents and, therefore, we incorporate cybersecurity into our overall risk management process. Our commitment to cybersecurity emphasizes using a risk-based, “defense in depth” approach to assess, educate, block, identify, respond to and recover from cybersecurity threats. Recognizing that no single technology, process or control can effectively prevent or mitigate all risks, we employ a strategy of technologies, processes and controls, all working independently but as part of a cohesive strategy to manage or reduce risk.
Our cybersecurity program assists in the management of risks associated with the confidentiality, integrity and availability of data and systems within the company environment to effectively support our business objectives and customer expectations. The program provides guidance to business stakeholders on cybersecurity risks as input into their risk management processes that balance cybersecurity risk with other important risks that may include strategic, regulatory, economic and financial considerations.
17
THERMO FISHER SCIENTIFIC INC.
We seek to routinely refine our cybersecurity approach to adapt to changes in the threat landscape and manage emerging security risks. In order to evaluate risks from cybersecurity threats associated with the company’s use of certain third-party technology providers, we have incorporated a risk-based assessment into the corporate information technology (IT) procurement process designed to assess the security risk of certain third parties providing new technology solutions to our environment.
We believe cybersecurity is the responsibility of every employee, and regularly educate and share best practices with our employees to raise awareness of cybersecurity threats through a security awareness training program, including regular exercises, periodic cyber-event simulations and annual attestation to our Technology Acceptable Use Policy.
We do not reasonably believe there are currently any cybersecurity incidents that have materially affected or are reasonably likely to materially affect the company or its business strategy, results of operations or financial condition. For more information on the risks related to our IT systems, see “A significant disruption in, or breach in security of, our IT systems or violation of data privacy laws could adversely affect our business or customers that use our products” under the heading “Risk Factors” in Part I, Item 1A.
Cybersecurity Governance and Oversight
The Board of Directors has delegated the oversight of cybersecurity risks to the Audit Committee. Our cybersecurity program is led by the company’s senior vice president, chief information officer, along with our vice president, chief information security officer. Management provides an operational update to the Audit Committee each quarter. In addition, the Audit Committee and our full Board of Directors receive an annual overview of the cybersecurity program, cybersecurity threat landscape, investments, and opportunities to enhance the company’s systems and security of products and operations.
The company’s corporate IT security team leads the company-wide cybersecurity strategy and advocates to protect the company systems, its employees and customers against cybersecurity risks. Through annual internal and external audits, we maintain an ISO/IEC 27001:2013 certification for the management of our cybersecurity program consisting of the following areas:
•cybersecurity program management and governance including risk management;
•cybersecurity operations including security operation centers;
•product security;
•security investigations;
•cybersecurity architecture and engineering; and
•security awareness and training.
Our senior vice president, chief information officer, vice president, chief information security officer (CISO), and vice president, chief product security officer have each served in various roles in IT and information security for over 20 years. These individuals’ knowledge and experience along with the culture and talent of the corporate IT security team organization are instrumental in developing and executing our cybersecurity strategies. The CISO meets with senior leadership to review and discuss the cybersecurity program, including emerging cybersecurity risks, threats and industry trends.
Cybersecurity is integrated into the risk management process for the company through various corporate mechanisms, including quarterly business reviews, annual budget planning, and targeted risk-based engagements.