Avantor, Inc. - (AVTR)
10-K Filing Date: February 14, 2024
Item 1C. Cybersecurity
Risk Management and Strategy
We rely on sophisticated information systems to obtain, rapidly process, analyze, and manage data in order to effectively operate our business. We are committed to protecting our business information, intellectual property, customer, supplier and employee data and information systems from cybersecurity risks and maintain an active cybersecurity risk management and strategy program, which is integrated in our enterprise risk management program.
We maintain enterprise-wide information security policies, processes and standards that set the requirements around acceptable use of information systems and data, risk assessment and management, identity and access management, data security, security operations, security incident response and threat and vulnerability management. We also perform formal risk assessment activities annually, aligned to the National Institute of Standards and Technology (NIST) 800-171 Cybersecurity Framework, as its program controls are designed to protect and maintain confidentiality, integrity, and continued availability of our data and information systems. Our team of information security professionals monitors our information systems for cybersecurity threats, breaches, intrusions and other weaknesses, responds to cybersecurity incidents, develops and implements plans to mitigate cybersecurity threats and facilitates training for our employees.
We also engage consultants and other third-party advisors to conduct independent assessments of our cybersecurity readiness and control effectiveness. In collaboration with external cybersecurity firms, we seek to gain insights into emerging threats and vulnerabilities, industry trends, and leading practices to inform our cybersecurity response, risk remediation and resilience capabilities, including by working with an external retained incident response team, receiving third-party threat intelligence, participating in incident tabletops, and performing assessments and controls testing on our enterprise environment.
23
Our program includes procedures to oversee and identify cybersecurity risks and threats of our third-party service providers, which include third-party evaluations performed by our team of information security professionals, review of independent assessment documentation, and continuous monitoring of third-party independent posture scoring. We also include security and data protection provisions in our contractual arrangements with third-party service providers where applicable. Additionally, we have purchased a cybersecurity risk insurance policy that would reduce the costs associated with a covered cybersecurity incident if it occurred.
Although no cybersecurity incident during the year ended December 31, 2023 resulted in an interruption of our operations, known losses of critical data, or otherwise had a material impact on Avantor’s strategy, financial condition or results of operations, the scope and impact of any future incident cannot be predicted. See “Item 1A. Risk Factors” for more information on how material cybersecurity attacks may impact our business.
Governance
Management plays a critical role in assessing and managing material risks from cybersecurity threats. Our Vice President of Information Security & Risk Management and Chief Information Security Officer (CISO), in coordination with our Chief Information Officer, leads a team of information security professionals and manages our cybersecurity risk management program and activities. This involves monitoring our information systems for cybersecurity threats, reviewing cybersecurity incidents, analyzing emerging threats, and the development and implementation of risk mitigation strategies. Our CISO has over 25 years of experience working in the information technology and services industry who is a subject matter expert in a variety of areas including information security, and IT risk.
Our CISO reports quarterly and more regularly, as needed, to our executive leadership team composed of our Chief Executive Officer, Chief Financial Officer, and Chief Information Officer on cybersecurity matters, providing the leadership team with updates on enterprise risks, cybersecurity incidents, the status of ongoing initiatives, key metrics, and additional cybersecurity topics. Our information technology leaders also meet regularly to discuss the progress of ongoing program initiatives, cybersecurity priorities, identified risks and metrics. We have also developed a cross functional disclosure working group to assess elevated cybersecurity incidents and, as appropriate, report on such events to Avantor’s standing Disclosure Committee to conclude on the materiality of the incident and any need for regulatory reporting.
The Board of Directors exercises direct oversight of strategic risks to the Company. The Board has delegated the responsibility for cybersecurity oversight to the Audit and Finance Committee. The Audit and Finance Committee’s responsibilities include reviewing and discussing with management the strategies, process and controls pertaining to the management of Avantor’s information technology operations, including cybersecurity risks and information security. The CISO and Chief Information Officer report to the Audit and Finance Committee annually and more frequently, as needed, on cybersecurity matters, including the cybersecurity threat landscape, key metrics demonstrating the overall management of our cybersecurity risk and risk management program, related key initiatives, enterprise program framework alignment, annual risk mitigation strategy, and review of cybersecurity incidents. Our Board is committed to maintaining a well-informed and cybersecurity-aware posture, regularly engaging through regular and requested updates on our strategy and evolving threat landscape.