METTLER TOLEDO INTERNATIONAL INC/ - (MTD)

10-K Filing Date: February 09, 2024
Item 1C. Cybersecurity
We rely on our technology infrastructure and information systems to interact with suppliers, sell our products and services, fulfill orders, support our customers, and bill, collect, and make payments. Our internally developed system and processes, as well as those systems and processes provided by third-party vendors, may be susceptible to damage or interruption from cybersecurity threats, such as terrorist or hacker attacks, the introduction of malicious computer viruses, ransomware, falsification of banking and other information, insider risk, or other security breaches. Such attacks have become more and more sophisticated over the years and in some cases have been conducted or sponsored by governmental actors with significant means. We have implemented robust processes to assess, identify, and manage cybersecurity risks, including potentially material risks, related to our internal information systems, our products, and our business. Our Board of Directors has direct oversight of our enterprise risk management process, including the management of cybersecurity risks, as described below.
Under the direction and supervision of our Chief Financial Officer, we conduct an annual comprehensive enterprise risk assessment, which includes details of our management of enterprise-wide risk topics, such as those related to cybersecurity risks. The Board of Directors receives the full results of the annual enterprise risk assessment, including an evaluation of cybersecurity risks we face, risks more broadly across our peers and industries, and a detailed description of the actions we have taken to mitigate these risks. The Audit Committee of the Board of Directors reviews the results of the enterprise risk assessment in detail with management on an annual basis and reports on its review to the Board of Directors each year. We provide a comprehensive update to the Board of Directors on cybersecurity at least annually, and more frequently as relevant.
Our Head of Global Supply Chain and IT, Head of Digital Business Services, and Head of Information Security serve on our Cybersecurity Steering Committee (the “Cyber SteCo”), along with our General Counsel who reports to our Chief Executive Officer, and our Head of Financial Processes who reports to our Chief Financial Officer. The Cyber SteCo, which meets monthly, develops and implements cybersecurity risk mitigation strategies and activities throughout the year, including the management of comprehensive incident response plans, and receives regular updates on cybersecurity-related matters.
Our Head of Global Supply Chain and IT, reporting to our Chief Executive Officer, has principal responsibility for assessing and managing cybersecurity risks and preparing updates for the Board of Directors. Our Head of Digital Business Services reports to our Head of Global Supply Chain and IT and is responsible for the operation of our cybersecurity program. Our Head of Digital Business Services is educated in business computing sciences and has over twenty years working in leadership, management, and consulting roles in digitalization, application management, and cybersecurity. Our Head of Digital Business Services also has experience implementing and leading global governance frameworks, including the National Institute of Standards and Technology (“NIST”) Cybersecurity Framework and ISO
29

27001. An Advisory Board, comprised of the Chief Executive Officer, Chief Financial Officer, Head of Global Supply Chain and IT, and Head of Digital Business Services, meets quarterly to discuss digital initiatives and investments, inclusive of cybersecurity topics. An experienced team of IT security professionals reports to our Head of Digital Business Services.
The Cyber SteCo oversees activities related to the monitoring, prevention, detection, mitigation, and remediation of cybersecurity risks. We have adopted the National Institute of Standards and Technology (“NIST”) Cybersecurity Framework to continually evaluate and enhance our cybersecurity procedures. Activities include mandatory quarterly online training for all employees, technical security controls, enhanced data protection, the maintenance of backup and protective systems, policy review and implementation, the evaluation and retention of cybersecurity insurance, and periodic assessments of third-party service providers to assess the cyber preparedness of key vendors. To enhance our threat preparedness, we perform monthly vulnerability scans, annual penetration testing with a third-party, and annual disaster recovery and cyber response drills, including third-party facilitated drills. We use automated tools that monitor, detect, and prevent cybersecurity risks and have a third party operated security operations center that operates 24 hours a day to alert us to any potential cybersecurity threats. As noted above, our Cyber Steco also has implemented comprehensive incident response plans that define the appropriate communication flow and response for certain categories of potential cybersecurity incidents. The Cyber SteCo escalates events, including to the Chief Executive Officer and Board of Directors, as deemed necessary.
The Cyber SteCo oversees our engagement with reputable third parties, which we utilize in connection with our established processes to assess, identify, and manage potential and actual cybersecurity threats, to actively monitor our systems internally using widely accepted digital applications, processes, and controls, and to provide forensic assistance to facilitate system recovery in the case of an incident.
If there is a cybersecurity incident, we may suffer interruptions in service, loss of assets or data, or reduced functionality. Many of our systems are not redundant, and our disaster recovery planning may not be sufficient for every eventuality a cybersecurity incident could cause. Security breaches of our systems which allow inappropriate access to or inadvertent transfer of information and misappropriation or unauthorized disclosure of confidential information belonging to us or to our employees, customers, or suppliers could result in our suffering significant financial and reputational damage. Customers may use our products and/or software to generate or manage critical information. Though we take steps to ensure our products and/or software are secure, it is possible that a cyber attack could result in the loss or compromise of critical information. If a customer alleges that a cyber attack causes or contributes to a loss or compromise of critical information, whether or not caused by us, we could face harm to our reputation and financial condition as it could cause us to incur legal liability and increased costs to respond to such events.

30