CHARLES RIVER LABORATORIES INTERNATIONAL, INC. - (CRL)

10-K Filing Date: February 14, 2024
Item 1C. Cybersecurity
Cybersecurity Risk Management and Strategy
Charles River places high importance on identifying and eliminating potential cybersecurity threats to its employees, customers, IT infrastructure, proprietary technologies and confidential information.
Our cybersecurity risk management is based on recognized industry governance frameworks, including the International Organization for Standardization (ISO), the National Institute of Standards and Technology (NIST), the Center for Internet Security Controls (CIS), and the Cloud Security Alliance (CSA). We use these frameworks together with information collected from internal and 3rd party assessments to develop policies such as our technology acceptable use policy for information assets, our access requirements for data, systems, or technologies, and policies for the protection and use of personal information of our employees and customers. We protect our IT assets through industry-standard techniques such as multifactor authentication, malware defenses, network and endpoint monitoring, and access review processes. We also work with our business units to leverage and implement foundational cybersecurity principles, such as security by design, defense-in-depth, least privilege, and resilience-focused backups, throughout our organization. We deliver cybersecurity awareness and confidential information protection training to our employees, and we send our employees ethical simulated phishing and spear-phishing emails to test their compliance with our policies.
We engage third parties to conduct annual penetration testing, and we use external risk assessors to measure our program to industry standard frameworks. Our information security management system is certified to the ISO/IEC 27001:2013 standard by the British Standards Institution (BSI); certificate IS 780367. We also collaborate with experts and industry partners to exchange information about threats, best practices, and trends.
Our cybersecurity risk management extends to risks associated with our use of third-party service and technology providers as well as partnerships with third parties we may enter into. For instance, we conduct risk and compliance assessments of third parties that request access to our IT resources and information or who provide technology products to Charles River.
Our cybersecurity risk management is an important part of our comprehensive business continuity program and enterprise risk management. Our global information security team periodically engages with a cross-functional group of Charles River subject-matter experts and leaders to assess and refine Charles River’s cybersecurity risk posture and preparedness. For example, we regularly evaluate and update contingency strategies for our business in the event that a portion of our IT systems were to be unavailable due to a cybersecurity incident. We practice our response to potential cybersecurity incidents through regular tabletop exercises. We also perform threat hunting and red team exercises.
Through these processes, during our fiscal year 2023 and through the date of this filing we did not identify risks from cybersecurity threats, including as a result of any previous cybersecurity incidents, that have materially affected, or are reasonably likely to materially affect, our business strategy, results of operations, or financial condition. However, despite our efforts, we cannot eliminate all risks from cybersecurity threats, or provide assurances that we have not experienced an undetected cybersecurity incident. For more information about these risks, please see the section titled “Item 1A. Risk Factors – Business and Operational Risk Factors - We have in the past experienced and in the future could experience unauthorized access into our information systems.”
Governance of Cybersecurity Risk Management
Our board of directors, as a whole, has oversight responsibility for Charles River’s strategic and operational risks. The Audit Committee of the Board of Directors has been delegated by the Board responsibility by reviewing and discussing Charles River’s risk assessment and risk management practices, including cybersecurity risks, with members of management. The Audit Committee, in turn, periodically discusses its review and assessment with the board of directors.
Our management team is responsible for day-to-day assessment and management of cybersecurity risks. On our management team, our Chief Information Officer has primary oversight of material risks from cybersecurity threats. The Chief Information Officer is Charles River’s Senior Vice President responsible for the Global Technology organization and for information protection at Charles River. The Chief Information Officer has more than 25 years of experience in the field, including serving as the Senior Vice President of Charles River’s Digital Transformation organization, leading the development and implementation of information technology strategies and roadmaps for digital and automation solutions.
Our Chief Information Security Officer reports to our Chief Information Officer. Our Chief Information Security Officer has more than 25 years of experience working in information technology-related roles, of which 10 years has been in information security leadership, and holds degrees in bio-medical engineering and computer science.
35

CHARLES RIVER LABORATORIES INTERNATIONAL, INC.
Our Chief Information Officer and Chief Information Security Officer assess our cybersecurity readiness through internal assessment tools as well as third-party control tests, vulnerability assessments, audits, and evaluation against industry standards. We have governance and compliance structures that are designed to elevate issues relating to cybersecurity to our Chief Information Officer and Chief Information Security Officer, such as potential threats or vulnerabilities. We also employ various defensive and monitoring techniques based on industry frameworks and cybersecurity standards.
Our Chief Information Officer and our Chief Information Security Officer meet annually with the full Board, and periodically, but generally at least quarterly, with the Chief Executive Officer, Chief Operations Officer, and Audit Committee to review the company’s information technology systems and discuss key cybersecurity risks. Our Chief Information Security Officer has direct access to the Chair of our Audit Committee and keeps the Audit Committee apprised of any developments that may emerge in between regularly scheduled meetings that require its attention. Additionally, our Incident Response Plan includes escalation protocols to raise occurrences that require attention from the Audit Committee or the board of directors as a whole.