STERIS plc 10-K Cybersecurity GRC - 2024-05-29

Page last updated on July 16, 2024

STERIS plc reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-05-29 16:35:52 EDT.

Filings

10-K filed on 2024-05-29

STERIS plc filed a 10-K at 2024-05-29 16:35:52 EDT
Accession Number: 0001757898-24-000008

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBERSECURITY Cybersecurity Risk Management and Strategy At STERIS, the enterprise risk management (“ERM”) program is designed to identify, assess, and manage risks across STERIS’s enterprise. Cybersecurity risk management is integrated into STERIS’s ERM program, under which we regularly assess cybersecurity risks in accordance with what we believe are industry cybersecurity best practices. Further, we implement controls to protect the confidentiality, integrity and availability of STERIS’s information systems and information. We maintain cybersecurity and incident response procedures to address our security standards and requirements and provide a framework for assessing and responding to cybersecurity threats and incidents. Additionally, as part of our ERM program, STERIS oversees and identifies risks associated with third-party service providers with whom we do business, which process includes due diligence, risk management assessments and contractual safeguards. We also maintain cyber liability insurance to help mitigate potential liabilities resulting from cybersecurity issues. STERIS has an Executive Cybersecurity Steering Committee consisting of the Senior Vice President & Chief Financial Officer, the Vice President, Chief Accounting Officer, the Vice President, Investor Relations & Corporate Communications, the Vice President & Chief Information Officer (“CIO”), the Vice President, Chief Compliance Officer, the Senior Vice President, General Counsel & Company Secretary, and the Chief Information Security Officer (“CISO”) that is responsible for providing governance, risk and compliance oversight for STERIS’s incident response program, providing guidance and support for cybersecurity non-technical initiatives, and for verifying that appropriate actions are taken following an incident occurrence. We have adopted and maintain an incident response policy that covers our incident response program and the duties and responsibilities of our Incident Response Team (“IRT”) responsible for managing and responding to cybersecurity incidents, including data breaches. Our IRT is led by the CISO and is comprised of senior management and others, including external resources, as required. Our incident response policy includes steps for detecting and investigating cybersecurity incidents, assessing the nature, scope, and severity of cybersecurity threats, identifying the impact of cybersecurity incidents, communicating cybersecurity incident disclosures, and implementing cybersecurity countermeasures and mitigation strategies. A subcommittee of our IRT reviews and assesses associated public reporting implications of cybersecurity incidents. Our process also includes informing the Board of Directors and the Audit Committee following a material cybersecurity incident. We engage third-party security experts to support our risk assessment activities and to provide system security enhancements. Our program includes regular vulnerability and penetration testing (internal and external) of our enterprise systems by independent external security experts. Education and awareness training on information security and data protection is conducted regularly for Associates. Members of the IRT, the Executive Cybersecurity Steering Committee and the Board of Directors receive additional training on responding to cybersecurity incidents. Our Board of Directors has oversight responsibility for the ERM program, and delegates the risk management assessment and risk management approach, including risks related to cybersecurity, to its Audit Committee. Among other responsibilities, the Audit Committee is responsible for monitoring internal controls, including those related to cybersecurity risk. Management is responsible for identifying, considering, and assessing material cybersecurity risks on an ongoing basis, establishing processes to monitor such potential cybersecurity risk exposures, putting in place appropriate mitigation measures and maintaining the cybersecurity program. Our cybersecurity program for our information systems is directed by our CIO and, with the cybersecurity team, our CIO monitors the prevention, detection, mitigation, and remediation of cybersecurity incidents. Our CISO is CISSP-ISSMP and CISM certified and is part of a team of experienced information system security professionals with diverse certifications, including CISSP, CISM, CNSS, CEH, CySA+, CompTIA - Security+, CySA+, PenTest+, and CASP+ and others. Management, including the CIO and CISO, update the Audit Committee on a regular basis on our cybersecurity program, material cybersecurity risks, mitigation strategies, cybersecurity metrics, developments in cybersecurity and proposed updates to our cybersecurity program. In fiscal year 2024, STERIS did not experience any cyberattack or other attempted intrusion or other incident with respect to our information systems that materially affected or was likely to materially affect our business strategy, results of operations, financial condition or cash flows. However, despite our efforts, we cannot eliminate all risks from cybersecurity threats, or provide assurances that we have not experienced or will not experience in the future undetected cybersecurity incidents. For more information about these risks, please see “Item 1A Risk Factors” in this annual report on Form 10-K.

Company Information