HAEMONETICS CORP 10-K Cybersecurity GRC - 2024-05-20

Page last updated on July 16, 2024

HAEMONETICS CORP reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-05-20 06:16:11 EDT.

Filings

10-K filed on 2024-05-20

HAEMONETICS CORP filed a 10-K at 2024-05-20 06:16:11 EDT
Accession Number: 0000313143-24-000020

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBERSECURITY We assess, identify and manage risks from cybersecurity threats through our global cybersecurity program. The program is managed by a full-time Chief Information Security Officer (“CISO”) whose organization manages our cybersecurity strategy, architecture, policies, standards and processes for the security of Haemonetics’ enterprise network and information assets. The CISO reports to our Chief Information Officer (“CIO”) and is supported by a dedicated security operations team. Our current CISO has over 20 years of information technology experience, including positions of increasing responsibility with respect to security architecture, software engineering, security operations and incident response. The CISO’s organization monitors, manages and works to identify and assess, cybersecurity risks through various technologies, resources, processes and policies that are regularly updated to align with the changing threat landscape, our evolving business needs as well as global regulatory requirements. Our global cybersecurity program is aligned to the National Institute of Standards and Technology (NIST) Cybersecurity Framework and is certified to the ISO 27001 global standard on Information Security Management. Our cybersecurity program is closely integrated with our QMS under the ISO 13485 standard. Our program utilizes layered defenses to help protect against cybersecurity threats and to work to secure our assets, reduce detection time and improve recoverability. Among other things, this includes ongoing systems monitoring with support from a managed detection and response service provider and other third-party vendors to augment our monitoring and response capabilities, as well as a standardized incident response program with incident response team members participating in regularly scheduled management reviews and tabletop exercises. Our CISO and CIO conduct regular cross-functional management reviews of our programs, including with members of senior leadership. All employees and those contractors of the Company with access to our information systems receive annual cybersecurity awareness training, and we have integrated cybersecurity and data protection topics into our Code of Conduct. All critical information systems have a written business continuity plan that is exercised at least annually. The entire program is audited annually by both internal and third-party auditors. Cybersecurity is also included in our product development life cycle and part of our vendor and business partner evaluation process. Our product development approach considers cybersecurity best practices and builds security controls into our product design. Haemonetics is a member of MedISAO, an industry organization dedicated to improving the security of medical devices, where security issues can be reported securely. We monitor our products for vulnerabilities and follow bulletins, patches and alerts posted to our download center or communicated directly to customers. Additionally, we conduct security risk assessments prior to engaging third party suppliers and other vendors and business partners to validate that they maintain appropriate safeguards to protect our and their information systems in connection with services they provide. This risk assessment is heightened with respect to vendors or business partners that have access to personal information that we collect, maintain or use. We evaluate cybersecurity risk as part of our broader enterprise risk framework. Our Board oversees Haemonetics’ enterprise-wide approach to risk management while our management team is responsible for managing risk on a day-to-day basis and for bringing to the Board’s attention material risks facing the Company, including with respect to cybersecurity threats. The Board focuses on the quality and scope of the Company’s risk management strategies and considers the most significant areas of risk inherent in the Company’s business strategies and operations as well as the steps that management is taking to mitigate those risks. We conduct an annual enterprise risk assessment - including consideration of cybersecurity risks - that is reviewed with the Board and Audit Committee and informs strategic priorities throughout the Company. Additionally, certain Board committees consider discrete categories of cybersecurity risk relating to their respective areas of responsibility. Our CISO reports at least annually on Haemonetics’ threat landscape and security programs to our Governance and Compliance Committee, which oversees Haemonetics’ compliance programs and policies regarding data privacy and cybersecurity risks associated with our information technology systems. Management also reports on these programs to the Audit Committee as needed and periodically reviews with our Technology Committee certain aspects of new and existing products as they relate to quality, safety and cybersecurity. Based on the information available as of the date of this Annual Report on Form 10-K, we are not aware of any risks from cybersecurity threats, including as a result of any previous cybersecurity incidents, that have materially affected or are reasonably likely to materially affect us, including our business strategy, results of operations or financial condition. Despite our security measures, however, there can be no assurance that we, or the third parties with which we interact, will not experience a cybersecurity incident in the future that may materially affect us. For additional information, see Item 1A. “Risk Factors” for a discussion of cybersecurity-related risks.

Company Information