NEOGEN CORP 10-K Cybersecurity GRC - 2024-07-30

Page last updated on July 30, 2024

NEOGEN CORP reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-07-30 13:58:38 EDT.

Filings

10-K filed on 2024-07-30

NEOGEN CORP filed a 10-K at 2024-07-30 13:58:38 EDT
Accession Number: 0000950170-24-087670

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBERSECURITY We rely on several information systems throughout our company, as well as those of our third-party business partners, to provide access to our web-based products and services, keep financial records, analyze results of operations, process customer orders, manage inventory, process shipments to customers, store confidential or proprietary information, and operate other critical functions. Our information systems and our business partners’ and suppliers’ information systems may be vulnerable to attacks by hackers and other security breaches, including computer viruses and malware, through the internet, email attachments, and persons with access to these information systems, such as our employees or third parties with whom we do business. These risks have increased as information systems and the use of software and related applications become more cloud-based. We have implemented various programs, processes, and systems designed to mitigate these risks. Risk Management and Strategy We have a comprehensive cybersecurity risk assessment program designed to assess, identify, and manage material risks associated with cybersecurity threats and vulnerabilities and to mitigate the potential impact of any cybersecurity incidents on our operations and financial condition. We routinely review, modify, and update this program as necessary to address emerging risks. Our process for addressing risk is based on industry best practices outlined in CIS Critical Security Controls. Although this program is integrated within the Company’s overall risk management system, the implementation of this program requires a unique and specialized level of expertise and experience, which has led us to create a cybersecurity team and various processes designed to address these specific risks, as discussed more below. We regularly engage consultants, auditors, and other third parties to assist in developing, maintaining, and enhancing our cybersecurity risk assessment program. These third-party engagements supplement our internal capabilities and help ensure the robustness of our program. Examples of these engagements include penetration testing of our customer facing domains, quarterly cybersecurity briefings with outside counsel, and an annual assessment of our overall cybersecurity program. We maintain policies and procedures to identify and monitor cybersecurity risks associated with these third-party service providers, particularly those with access to customer, employee, or other sensitive data. Our selection and oversight of these providers includes diligence reviews, contractual protections, and other measures to mitigate these risks over the entire lifecycle of the relationship, including through implementation of the CIS Critical Security Controls. In addition to these prevention measures, we work proactively to detect and minimize the impact of cybersecurity incidents. We have a written incident response plan designed to ensure the appropriate internal and, if necessary, external resources are employed to promptly and effectively respond to potential breaches, minimize any related damage, and avoid disruption to our operations. We routinely test our incident response process through simulated incidents. No risks from cybersecurity threats, including as a result of any previous cybersecurity incidents, have materially affected or are reasonably likely to materially affect the Company, including its business strategy, results of operations, or financial condition. While we have not experienced any cybersecurity incidents or threats that have materially impacted us or our business, we have encountered incidents in the past, which we have used to improve our program and defenses. Since it is possible we could experience a material cybersecurity incident in the future, we remain diligent in maintaining and continuously improving our program in an effort to prevent such incidents and, if one was to occur, to manage it effectively. Governance Board of Directors Oversight The Governance and Sustainability Committee of our Board of Directors (the " Governance Committee “) is responsible for providing oversight and policy direction on our risk management policies and programs, including those relating to cybersecurity. The Charter of the Governance Committee specifically requires the committee to periodically review the Company’s enterprise cybersecurity strategy and framework, including the Company’s assessment and management of cybersecurity threats and risks, data security programs, applicable laws and regulations, and the Company’s management and mitigation of cybersecurity and information technology risks and potential breach incidents, including our incident response plan. The Governance Committee is also tasked with reviewing any significant cybersecurity incident that occurs. 30 The Governance Committee is required by its Charter to consist of not fewer than three independent directors, and the committee currently consists of five independent directors. The Governance Committee typically meets on a quarterly basis. At each meeting, a written cybersecurity brief from IT leadership is provided. These reports include a review of emerging cybersecurity risks and developments and updates to our cybersecurity risk assessment program. The Governance Committee provides regular reports to the full Board of Directors on its oversight of the Company’s cybersecurity risks and risk management system. Management’s Role Our management team is primarily responsible for assessing and managing material risks to the Company from cybersecurity threats. We have a cross-functional cybersecurity team led by our cybersecurity manager and comprised of personnel from our information technology group, including the head of IT, and senior leadership. We have established a robust framework for preventing, identifying, evaluating, and mitigating cybersecurity risks. Our cybersecurity manager is designated as the senior executive responsible for cybersecurity and reports directly to the head of IT. Our cybersecurity manager has a comprehensive information technology background and over ten years of service in managing or assisting in managing cybersecurity risks. To support the head of IT and cybersecurity manager in managing cybersecurity risks, we established a cross-functional cybersecurity team that includes experts in various aspects of information security. Combined, this team of employees includes individuals with over 30 years of prior work experience in cybersecurity and data protection. These individuals are responsible for the day-to-day implementation of our cybersecurity program. We employ a comprehensive set of processes to monitor the prevention, detection, mitigation, and remediation of cybersecurity incidents. These processes include: - Continuous monitoring of network traffic and information technology systems for signs of potential threats; - Regular vulnerability assessments and penetration testing to identify and address weaknesses; - Implementation of cybersecurity measures, such as firewalls, intrusion detection systems, and data encryption; - Employee training and awareness programs to educate all staff about cybersecurity risks and prevention measures; and - Incident response plans to ensure swift, effective, and adequate disclosure of cybersecurity incidents to the appropriate individuals within the Company. These processes are regularly reviewed and updated to adapt to evolving cybersecurity threats and any changes in our systems or business operations. Our head of IT, cybersecurity manager, and other members of our cybersecurity team provide quarterly updates and reports to the Governance Committee of our Board of Directors on cybersecurity risks and our risk management systems. Our cybersecurity team is also required to provide senior management and the Governance Committee with more frequent updates on major developments regarding cybersecurity matters or as otherwise appropriate. As noted above, the Governance Committee provides regular updates to the Board on these matters so that the Board remains adequately informed about this important aspect of the Company’s overall risk management.

Company Information