BIO-TECHNE Corp 10-K Cybersecurity GRC - 2024-08-22

Page last updated on August 22, 2024

BIO-TECHNE Corp reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-08-22 16:30:35 EDT.

Filings

10-K filed on 2024-08-22

BIO-TECHNE Corp filed a 10-K at 2024-08-22 16:30:35 EDT
Accession Number: 0001558370-24-012430

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBERSECURITY Cybersecurity Governance and Oversight Bio-Techne’s cybersecurity program is led by the Company’s Chief Information Security Officer (“CISO”), with day-to-day management and administration of our cybersecurity program performed by the IT Security Operations team. The CISO reports to the Chief Information Officer (“CIO”), and the CIO reports to the Chief Executive Officer. The CISO is supported by the Incident Response Team (“IRT”), a multi-disciplinary management committee comprising senior members from the Security Operations Team, legal, finance, internal audit and other functions. The IRT supports the CISO and CIO in supporting and reviewing information security risks and in the event of a cybersecurity incident provides leadership with respect to incident response, investigation, mitigation and remediation. In addition to leadership and support within management, we also work with security service providers to monitor for vulnerabilities and threats, and which are reported to the Security Operations team. All employees are trained and tested annually on cybersecurity risks, and we continually perform simulated phishing exercises with a focus on roles and functions with access to sensitive company and financial information. We also conduct periodic tabletop exercises for key personnel involved in cybersecurity risk management, including the IRT. Our Board of Directors (“Board”) holds overall oversight responsibility for the Company’s strategy and risk management, including in relation to cybersecurity risks. The Board exercises its oversight function through the Audit Committee, which oversees the management of risk exposure across various areas, including data security risks, in accordance with its charter. In addition, the Audit Committee is specifically responsible for the review and approval of any cybersecurity incident disclosure, as set forth in the Committee’s charter. In the event of a potentially significant cybersecurity incident, the Audit Committee’s charter requires that management promptly communicate and consult with the Audit Committee. Bio-Techne’s General Counsel updates the Audit Committee multiple times per year regarding Bio-Techne’s cybersecurity programs, including regularly-tracked metrics on incident response, internal security testing, and measures implemented to monitor and address cybersecurity risks and threats, as appropriate. The Audit Committee regularly updates the full Board on these matters. In addition, the CISO and/or CIO provides the full Board with a thorough review of the Company’s cybersecurity program, including current status, industry risks and exposure, and future strategy. Based on the information we have as of the date of this Annual Report, we do not believe any risks from cybersecurity threats have materially affected or are reasonably likely to materially affect Bio-Techne, including our business strategy, results of operations or financial condition. However, please see Item 1A. Risk Factors - “A significant disruption in, or breach of security of, our information technology systems or data, or violation of data privacy laws, could result in damage to our reputation, data integrity and/or subject us to costs, fines, or lawsuits under data privacy or other laws or contractual requirements.” Cybersecurity Risk Management and Strategy Bio-Techne’s cybersecurity strategy is to maintain and fortify a secure, actively-monitored environment for our and our customers’ data that complies with legal requirements [and industry best practice] while supporting our and our customers’ business needs. Our cybersecurity program follows industry standards and best practice for preventing, detecting, remediating, and mitigating potential cybersecurity threats, including regular processes to identify, evaluate and manage potential risks. Our IT Security Operations team administers and monitors the prevention, detection, mitigation, and remediation of potential cybersecurity risks. This team leverages both Bio-Techne’s internal IT resources, including its personnel, as well as managed security service providers and other third-party security software and technology services, as well as through other means. We also have implemented processes and technologies for network monitoring and data loss prevention procedures. We conduct periodic risk assessments, including with support from external vendors, to assess our cyber program, identify areas of enhancement, and develop strategies for the mitigation of cyber risks. We also conduct regular security testing and have established a vulnerability management process supported by security testing, for the treatment of identified security risks based on severity, including risks arising from our use of third party providers software and service providers. In addition to our evolving processes and systems, we foster a culture of cybersecurity education, training, and testing. Every year, employees in sensitive job categories must take and pass rigorous information security and protection training. We partner with experienced external consultants to assess our cybersecurity program, and to perform penetration testing as well as other testing programs designed to identify vulnerabilities and areas for fortification. Also, as part of our cybersecurity risk management program we maintain cyber insurance, with coverage amounts and terms that are typical and appropriate for a company of our size and type. This insurance may not be sufficient to cover us against all types of claims related to security breaches, cyberattacks and other related breaches.

Company Information