RESMED INC 10-K Cybersecurity GRC - 2024-08-08

Page last updated on August 9, 2024

RESMED INC reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-08-08 20:09:34 EDT.

Filings

10-K filed on 2024-08-08

RESMED INC filed a 10-K at 2024-08-08 20:09:34 EDT
Accession Number: 0000943819-24-000013

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C CYBERSECURITY Risk Management and Strategy We seek to address cybersecurity risks through a cross-functional approach that is focused on preserving the confidentiality, integrity, and availability of the information that we collect and store by identifying, preventing, and mitigating cybersecurity threats and effectively responding to cybersecurity incidents when they occur. Our cybersecurity program is designed to protect information and information systems from unauthorized access, use, disclosure, disruption, -43- Table of Contents PART I Item 1B - 4 RESMED INC. AND SUBSIDIARIES modification, or destruction. Our management team has adopted policies, standards, processes, and practices and implemented controls and procedures that allow us to assess, identify and manage material risks from cybersecurity threats enabling our board of directors to actively oversee the strategic direction, objectives, and effectiveness of our cybersecurity risk management framework. Our processes are integrated into our overall enterprise risk management program, as implemented by management and as overseen by our board of directors. Our board of directors has an important role in risk oversight. To identify and assess material risks from cybersecurity threats, we use a risk assessment process aligned with standard industry frameworks such as the National Institute of Standards and Technology (NIST), International Organization for Standardization (ISO) 27001 and other industry standards. We engage in regular network and endpoint monitoring, vulnerability assessments, and penetration testing, among other exercises. We continuously monitor threats and unauthorized access to our network through both internal and external third-party resources. We have developed incident response plans which include triage, assessing the severity of incidents, escalation protocols, containment of incidents, investigation of incidents, and remediation. We provide annual privacy and security training for all employees which incorporates awareness of cyber threats (including but not limited to malware, ransomware, and social engineering attacks), password hygiene and incident reporting processes. We have also implemented processes to identify, monitor and address material risks from cybersecurity threats associated with our use of critical third-party service providers, including those in our supply chain or who have access to our systems, data or facilities that house such systems or data. Additionally, we require those third parties that could introduce significant cybersecurity risk to us to provide ISO certifications or Service Organization Controls (SOC) 2 reports as evidence of a cybersecurity audit and these reports are reviewed and assessed for risk. We review our cybersecurity risk framework and related policies both internally and externally by third parties at least annually. Our risk management program is also reviewed annually as part of SOC 2 and Health Information Trust Alliance (HITRUST) Common Security Framework audits. We are not aware of any known risks from cybersecurity threats, including as a result of any previous cybersecurity incidents, that have materially affected or are reasonably likely to materially affect us, including our business strategy, results of operations, or financial condition. Despite our security measures, however, there can be no assurance that we, or the third parties with which we interact, will not experience a cybersecurity incident in the future that may materially affect us. For additional information, see Item 1A. “Risk Factors” for a discussion of cybersecurity risks that we face. Governance Role of the Board of Directors and the Audit Committee As part of the board of directors’ role in overseeing our enterprise risk management program, which includes our cybersecurity risk management framework, the board of directors is responsible for exercising oversight of management’s identification and management of, and planning for, material cybersecurity risks that may reasonably be expected to impact us. The board of directors is informed of our cybersecurity risk management and receives an overview of our cybersecurity program from the Chief Information Security Officer (CISO) at least annually. That overview covers, among other topics, cybersecurity risk landscape and trends, data security posture, results from third-party assessments, training and vulnerability testing, our incident response plan, material cybersecurity risks, whether developing or actual, as well as the steps management has taken to respond to such risks, emerging cybersecurity regulations, technologies and best practices. Role of Management Our CISO, our Chief Financial Officer, our Global General Counsel, internal audit, and privacy teams are responsible for management’s oversight of cybersecurity governance, awareness, and security compliance. Our CISO meets regularly with this group to review the cybersecurity program designed to protect our information systems from cybersecurity threats and to respond to incidents in accordance with our incident response plan. The CISO manages a team that is responsible for day-to-day tracking, assessing and management of threats. Through ongoing communications, the CISO and key stakeholders are informed about and monitor the prevention, detection, mitigation and remediation of cybersecurity incidents and progress on cybersecurity infrastructure initiatives. In the event of a material cybersecurity incident or investigation, management will, in compliance with escalation protocols in place, -44- Table of Contents PART I Item 1B - 4 RESMED INC. AND SUBSIDIARIES promptly report to the board of directors, as appropriate, in accordance with our incident response plan and other policies, and determine the timing of action, and necessary response. Our CISO has over 20 years of experience in various roles in information technology and information security, including serving as CISO at Mattel and Universal Music Group. He holds an MBA degree and holds several relevant certifications, including Certified Information Security Manager, Certified Information Systems Security Professional, Certified in Risk and Information System Control, and Certified Information Privacy Professional.

Company Information