AVANOS MEDICAL, INC. - (AVNS)

10-K Filing Date: February 20, 2024
ITEM 1C. Cybersecurity
Avanos has implemented a comprehensive cybersecurity program to identify, assess and manage material risks from cybersecurity threats. In addition, we have instituted executive management and board oversight of the risks arising from cybersecurity threats.
Cybersecurity Risk Management and Strategy.
We have a proactive strategy to manage the material risks stemming from cybersecurity threats. Our cybersecurity program follows the Cybersecurity Framework as defined by the National Institute of Standards and Technologies. The Cybersecurity program is the responsibility of our internal IT Security Team, which is overseen by our Vice President, Chief Information Officer (the “CIO”).
Our cybersecurity program includes the following key elements:
Identification. Avanos maintains an inventory of IT assets, comprising hardware and software, as well as the associated risk profiles of those systems and applications. We utilize a risk management strategy and annual risk assessment process to identify key risk areas based on the holistic threat landscape facing Avanos and our industry. To define that threat landscape, we utilize threat intelligence feeds, such as those provided by Health Information Sharing and Analysis Center (H-ISAC) and a third-party vendor, to determine security threats to the Company and other healthcare and life science organizations.

17


Protection. We utilize multiple intrusion protection systems and processes to protect our technology assets. These protections include Identity and Access Management (IAM), Privileged Access Management (PAM), Multi-Factor Authentication (MFA), Vulnerability Management, Endpoint Detection and Response (EDR), Advanced Anti-Phishing and Awareness trainings, Network and Cloud Security and other protective technologies. Annual audits are conducted to assess these controls.
Our cybersecurity protection strategy incorporates a Vulnerability Management process and solution to assist in the identification of potential vulnerabilities in our systems. If vulnerabilities are identified, we utilize a follow-on process to remediate such vulnerabilities. A third-party software-as-a-service (SaaS) provider conducts code scanning and vulnerability assessments of our external-facing websites. Furthermore, multiple cybersecurity controls exist on and around our servers and end-user systems to prevent unauthorized system and data access and data leakage. Additionally, third-party vendors conduct yearly penetration tests to search for risks to our systems utilizing techniques commonly used by bad actors.
Detection. Avanos has a formal framework consisting of people, processes and technologies dedicated to monitoring, detecting and responding all security events. We utilize multiple intrusion detection systems and processes. These include user access reviews to determine appropriate access to systems and data and a Security Identity and Event Management (SIEM) software solution, which consists of system logs with correlation logic to identify malicious activity. Logs and alerts cover the network, devices, applications and email.
Response. We have an incident response plan for cybersecurity incidents and conduct response planning with tabletop exercises. We have engaged a third party to assist with forensic investigations and expert support when needed. When a cybersecurity incident is identified by our IT Security Director and Security Team, our CIO and other members of our IT team are alerted. Incidents are classified by severity with predefined definitions, actions and notifications for each severity level. Incidents that are defined as medium, high or critical are reported the Chief Financial Officer, Principal Accounting Officer, General Counsel and CIO to determine materiality and associated public disclosure steps. For these incidents, we engage our third-party forensic partner to assist with containment, remediation and issuing a report on the incident.
Recovery. Our dedicated security operations team, defined incident response plan and third party forensic partner are employed to contain and recover from an incident. In addition, the IT organization conducts an annual disaster recovery exercise. Following an incident, the IT Security Team conducts a post-mortem to identify opportunities to improve our cybersecurity program. Any follow-up communications are provided as part of the recovery process.
Controls assessments are completed annually with respect to any remediation activities that have been identified and completed as part of the cybersecurity program. Avanos engages third-party vendors to conduct assessments and deliver their recommendations for improvement annually. Where appropriate, third-party vendors also assist with remediation projects.
We have a third-party risk management program. Prior to engaging third-party service providers, we conduct a cybersecurity risk assessment and utilize a third-party exchange service to gather security posture ratings across all of the third party’s IT security, compliance and data privacy domains.
We are not aware of any risks from cybersecurity threats, including as a result of any previous cybersecurity incidents, which have materially affected or are reasonably likely to affect us, including our business strategy, results of operation or financial condition.
Governance
Our Audit Committee is responsible for overseeing risks from cybersecurity threats. At each meeting of the Audit Committee, our CIO provides a report on cybersecurity matters. The Audit Committee’s cybersecurity-related oversight includes the following:
Receiving notice of, and providing guidance with respect to, material cybersecurity incidents;
Reviewing our cybersecurity threat landscape, risks and cybersecurity programs and policies;
Overseeing our management and mitigation of cybersecurity risks and potential breach incidents;
Reviewing our technology and information systems strategies and trends that may affect these strategies;
Reviewing reports and key metrics on the Company’s cybersecurity and related risk management programs;
Reviewing the progress of major technology-related proposals, plans, projects and architecture decisions to ensure that these projects and decisions support our overall business strategy; and
Reviewing and providing oversight on the Company’s crisis preparedness with respect to cybersecurity.
During the year ended December 31, 2023, our Audit Committee met four times.

18


Our CIO (who has 14 years of cybersecurity experience) and our Associate Director of Global Cybersecurity (who has 25 years of cybersecurity experience) are the members of our management team who are responsible for assessing and managing our material risks from cybersecurity threats. Our CIO is a member of the Incident Response Team, and the Director of Global Cybersecurity is a member of our internal IT Security Team and the Incident Response Team.