Integer Holdings Corp - (ITGR)
10-K Filing Date: February 20, 2024
ITEM 1C. CYBERSECURITY
Cybersecurity Risk Management and Strategy
We recognize the critical importance of developing, implementing, and maintaining cybersecurity measures to safeguard our information systems and protecting the confidentiality, integrity, and availability of our data and other information located on our information systems. Below is a discussion of how we assess, identify and manage material risks from cybersecurity threats.
Managing Material Cybersecurity Risks Within Our Overall Risk Management Framework
We have strategically and deliberately integrated cybersecurity risk management into our broader risk management framework to promote a Company-wide culture of cybersecurity risk management. This integration seeks to ensure that cybersecurity considerations are an integral part of our decision-making processes at every level. Our management-level Security, Privacy and Compliance Committee (the “SPCC”) was established to help ensure that the Company’s information security strategy supports our business operations and that the Company complies with applicable laws and regulations with respect to privacy and other cybersecurity matters. The SPCC is also primarily responsible for monitoring and responding to cybersecurity threats as they arise. The SPCC meets quarterly and as necessary. The SPCC is a cross-functional committee, and its members include Company officers and associates involved in various aspects of the Company’s governance and operations, including our General Counsel, Corporate Controller, Chief Information Officer, Head of Environmental, Health, Safety and Security and others, and is chaired by Mr. Richard Balducci, our Chief Information Security Officer (“CISO”). In addition, we have established a management-level Cyber Disclosure Escalation Committee (the “CDEC”) to assist in the evaluation of cybersecurity incidents that may arise from time to time and the potential need for public disclosure of any such incident. The CDEC meets quarterly and on an ad hoc basis as necessary, and it reports to our CEO and other members of the Company’s senior management.
Third-Party Engagement in Cybersecurity Risk Management
Recognizing the complexity and evolving nature of cybersecurity threats, we engage with a range of external experts, including cybersecurity assessors, consultants, and auditors in evaluating and testing our cybersecurity risk management systems. These partnerships enable us to leverage specialized knowledge and insights, seeking to ensure that our cybersecurity strategies and processes remain at the forefront of industry best practices. Our collaboration with these third parties includes threat assessments, consultations on security enhancements and cybersecurity strategies and trends and penetration testing designed to simulate an external cyberattack on the Company. We also periodically retain a third-party advisor to perform a cybersecurity materiality assessment of the Company using the NIST CSF framework. Finally, we also engage a third party to evaluate the cybersecurity strengths of our vendors as part of our third-party risk oversight, as described below under “Oversight of Third-Party Risks.”
Oversight of Third-Party Risks
We have sought to implement stringent processes to oversee and manage cybersecurity risks resulting from our day-to-day business interactions with third parties. Our third-party risk oversight is primarily handled internally at the Company and consists of four fundamental pillars. First, we require each third-party information technology vendor that we engage with to complete a cybersecurity questionnaire detailing their cybersecurity standards and practices. These questionnaires are completed at the beginning of the relationship and thereafter periodically throughout the relationship based upon our risk level assessment. Second, we use a third-party consultant to monitor and assess cybersecurity matters relating to our vendors based on publicly available information. This monitoring is ongoing and, if an issue is identified, we will proactively seek to engage with our vendors to remediate the issue. Third, we seek to strictly limit access to our internal infrastructure and, for those vendors that have a need to access to our infrastructure, we use methods and processes to limit their access. Finally, we require our contracts with third-party vendors to include contractual obligations with respect to cybersecurity matters that are applicable those vendors, including data breach notifications.
Risks from Cybersecurity Threats
We are not aware of any risks from any potential cybersecurity threat or from any previous cybersecurity incident that have materially affected or are likely to materially affect our business strategy, results of operations or financial condition. However, the risks from cybersecurity threats and incidents continues to increase, and the preventative actions we have taken and continue to take to reduce the risk of cybersecurity threats and incidents may not successfully protect against all such threats and incidents. We describe whether and how cybersecurity-related risks could materially affect our business, results of operation and financial condition in Item 1A, “Risk Factors” under the heading “Our operations are subject to cyber-attacks and other information technology disruptions that could have a material adverse effect on our business, results of operations and financial condition.”
- 30 -
Cybersecurity Governance Matters
Our Board understands the critical nature of managing risks associated with cybersecurity threats. Our Board has established oversight mechanisms to ensure effective governance in managing risks associated with cybersecurity threats because we recognize the significance of these threats to our operational integrity and in maintaining stockholder confidence.
Board of Directors’ Oversight Role and Management’s Role in Managing Cybersecurity Risk
Our Board has direct oversight responsibility for the Company’s strategic risks. The Audit Committee has been made primarily responsible for the Board’s oversight of cybersecurity risks, but the Board has discretion to delegate this oversight responsibility to any committee or sub-committee as it deems appropriate. The Audit Committee is composed of directors with diverse expertise including risk management, operations, technology and finance and accounting, equipping them to oversee cybersecurity risks effectively.
Our CISO is responsible for updating the Audit Committee on cybersecurity risks and the processes and procedures that Company management has put in place to seek to mitigate these risks. At least twice each year, our CISO provides updates to the Audit Committee on cybersecurity risks, incidents and incident resolution. The Audit Committee also discusses at least annually with the CISO regarding the status of the Company’s IT policies, procedures, disaster recovery plans and other security issues. In addition, reports describing known cybersecurity threats are delivered to our executive leadership team on a monthly basis and general updates relating to our cybersecurity systems are delivered to our executive leadership team on a bi-monthly basis. Monthly cybersecurity reviews are also undertaken with our IT leadership team to discuss actionable cybersecurity issues.
In addition to our scheduled meetings, the Audit Committee, CISO and other senior members of management maintain an ongoing and active dialogue regarding emerging or potential cybersecurity risks. The Audit Committee actively participates in strategic decisions related to cybersecurity, offering oversight and approval for major initiatives. This involvement ensures that cybersecurity considerations are integrated into the broader strategic objectives of the Company. This oversight review by our Audit Committee helps in identifying areas for improvement and ensuring the alignment of cybersecurity efforts with the overall risk management framework. In addition, we require all Company associates to complete mandatory cybersecurity awareness and information handling training at the time of hiring and on an annual basis.
Risk Management Personnel
Our CISO, Mr. Richard Balducci, is primarily responsible for assessing, monitoring and managing our cybersecurity risks. Mr. Balducci has worked in the cybersecurity field since 1996. His background includes both the public and private sectors. Mr. Balducci has served as our CISO since 2020 and has built out a comprehensive security program for the Company by adding cybersecurity capabilities and aligning our cybersecurity systems to leading industry standards, including the National Institute of Standards and Technology Cybersecurity Framework. In addition, Mr. Balducci oversees our governance programs, tests our compliance with standards, remediates known risks, and leads our cybersecurity training program for associates.
Company Processes for Monitoring Cybersecurity Incidents
The CISO is continually informed about the latest developments in cybersecurity, including potential threats and innovative risk management techniques. This ongoing knowledge acquisition is crucial for the effective prevention, detection, mitigation, and remediation of cybersecurity incidents. The CISO works with the SPCC to implement and oversee processes for the regular monitoring of our information systems. This includes the deployment of advanced security measures and regular system audits to identify potential vulnerabilities. If a cybersecurity event involving the Company were to occur, the CDEC would be immediately engaged to initially evaluate the potential materiality of the event and the potential need for public disclosure, and the SPCC and other members of senior management would be engaged to determine the timing and extent of the response and to consider whether any future vulnerabilities are expected. As part of this evaluation, the Company, through the SPCC, would also identify immediate actions to mitigate the impact and long-term strategies for remediation and prevention of future incidents. After an initial evaluation by the CDEC, the relevant information regarding the cybersecurity event and its potential materiality would also be promptly raised to the Company’s Disclosure Committee for further review and evaluation as to whether public disclosure would be required.
- 31 -