DANAHER CORP /DE/ - (DHR)
10-K Filing Date: February 21, 2024
ITEM 1C. CYBERSECURITY
Cybersecurity Strategy and Risk Management
Danaher’s cybersecurity strategy and risk management program focuses on maintaining a secure environment for our data that complies with applicable legal requirements and effectively supports our business objectives and customer needs. Our commitment to cybersecurity emphasizes cultivation of a security-minded culture through education and training, and a programmatic and layered approach to prevention and detection of, and response to, cybersecurity threats. Key elements of our program for assessing, identifying and managing material risks from cybersecurity threats are described below.
We maintain cybersecurity policies that articulate Danaher’s expectations and requirements with respect to topics such as acceptable use of technology and data, data privacy, risk management, education and awareness and event and incident management. We regularly conduct exercises, with the support of outside domain experts, to improve the effectiveness of our processes and we periodically assess our processes against recognized cybersecurity frameworks. Consistent with our position that cybersecurity is the responsibility of every Danaher associate, we regularly educate and share best practices with our associates to raise awareness of cybersecurity threats. Every year, associates in applicable job categories are required to take information security and protection training as part of the Danaher Annual Training Program. We also conduct regular education and training for our associates through cyber-event simulations.
We strive to implement and maintain layered controls designed to prevent and, where necessary, detect and respond to cybersecurity threats. Our physical controls are designed to restrict access to locations that house significant physical information technology assets. Our technical preventive controls include access restrictions and network security technologies. Our notification policies and processes are designed so that notifications and alerts are escalated to the appropriate personnel on a timely basis to support effective review, response and compliance with legal requirements. In addition to event-specific notifications, data is aggregated and compiled on a regular basis to support the identification of trends and effective program review and oversight. We also recognize that Danaher is exposed to cybersecurity risks that affect third parties whom we rely on to process, store or transmit our electronic information. To manage these risks, we maintain technical security controls as well as processes designed to facilitate Danaher’s identification of third-party cybersecurity risks.
Key elements of Danaher’s annual Enterprise Risk Management (“ERM”) program include an inventory and classification of key risk areas and topics; a methodology for scoring risks based on the risk’s probability, severity and velocity of impact, and for trending key risks; and a framework for developing and implementing countermeasures for key risks. Information technology/cybersecurity is one of five topical areas required to be addressed as part of the annual ERM program. IT and cybersecurity risks are required to be scored using the same methodology applied to all other risk categories, which facilitates an evaluation of the significance and prioritization of cyber-related risks relative to wider business risks. In addition, Danaher policy requires the reporting of certain cybersecurity incident data to Danaher’s Risk Committee (comprising senior members of the legal, finance, internal audit and compliance functions) for consideration as part of the ERM process. Members of the Danaher Risk Committee present annually to the Danaher Board of Directors a report on the results of the ERM process, including with respect to information technology and cybersecurity risks. As part of our cybersecurity risk management program, we also maintain cyber insurance in amounts and subject to coverage terms that are typical for companies of our type and size, however, such insurance may not be sufficient in type or amount to cover us against claims related to security breaches, cyber-attacks and other related breaches.
We periodically engage external consultants to assess our cybersecurity program. In addition, management’s annual assessment of the effectiveness of the Company’s internal control over financial reporting assesses the effectiveness of certain controls relating to cybersecurity, and the Company’s independent registered public accounting firm audits the effectiveness of the Company’s internal control over financial reporting.
32
Cybersecurity Governance and Oversight
At the management level, Danaher’s cybersecurity program is led by the Company’s Chief Information Security Officer (“CISO”), who reports to Danaher’s Chief Information Officer (“CIO”), who in turn reports to Danaher’s Chief Financial Officer. Danaher’s CIO has served as a technology leader for over 25 years, leading cybersecurity, engineering, and operational functions as the CIO for two multi-billion dollar businesses prior to assuming the Danaher CIO role. Danaher’s CISO has served for more than 20 years in various information security roles, including serving as the Chief Information Security Officer of two large, publicly-traded companies prior to joining Danaher. The CISO is supported by the Information Risk Steering Committee (“IRSC”), a management committee comprising senior members of the information technology, legal, privacy, finance, internal audit and communications functions. The IRSC supports the CISO and CIO in overseeing and managing information security risks and in the event of a cybersecurity incident provides oversight and leadership with respect to incident investigation, mitigation and remediation.
At the Board level, Danaher’s Board of Directors has delegated to the Audit Committee of the Board responsibility for oversight of risks relating to cybersecurity, as set forth in the Committee’s charter. Multiple members of Danaher’s Audit Committee have prior work experience overseeing or assessing a cybersecurity function. Danaher’s CISO and CIO update the Audit Committee multiple times per year regarding Danaher’s cybersecurity program, including key program metrics, initiatives and developments. The Audit Committee regularly briefs the full Board on these matters. In addition, in the event of a significant cybersecurity incident, Danaher policy and process requires timely engagement of and consultation with the Audit Committee.
Based on the information we have as of the date of this Annual Report, we do not believe any risks from cybersecurity threats, including as a result of any previous cybersecurity incidents, have materially affected or are reasonably likely to materially affect Danaher, including our business strategy, results of operations or financial condition.