OSI SYSTEMS INC 10-K Cybersecurity GRC - 2024-08-29

Page last updated on August 29, 2024

OSI SYSTEMS INC reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-08-29 17:15:12 EDT.

Filings

10-K filed on 2024-08-29

OSI SYSTEMS INC filed a 10-K at 2024-08-29 17:15:12 EDT
Accession Number: 0001410578-24-001571

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBERSECURITY Risk Management and Strategy We maintain high standards with respect to cybersecurity, in accordance with regulatory guidelines, contractual requirements and industry practices. Our cybersecurity strategy is aimed to anticipate, detect, and respond to threats, ensuring the resilience and integrity of our operations. We use a risk management process, overseen by our Information Security Officer (“ISO”), that encompasses technical security controls, policy compliance mechanisms, monitoring systems, contractual agreements, and governance. Our cybersecurity risk management process is integrated with our overall enterprise risk management process and shares common methodologies, reporting channels and governance processes that apply across the enterprise risk management process to other legal, compliance, strategic, operational and financial risk areas. Key elements of our cybersecurity risk management program include a cybersecurity incident response plan with procedures for responding to cybersecurity incidents and annual data protection and cybersecurity awareness training of our employees who have access to information systems. We have implemented security control principles that follow the National Institute of Standards and Technology (NIST) Cybersecurity Framework with the main goal of our cybersecurity risk management process being to protect the confidentiality, integrity, and availability of our information assets. Our external auditors annually review our information security management system, which has an ISO/IEC 27001 certification. We monitor our environment for cybersecurity threats with real-time ability to activate measures to minimize impact, respond to incidents, and investigate issues. We routinely conduct security assessments of our applications, manage vulnerabilities, and perform penetration testing as well as exercises that mimic cybersecurity incidents to evaluate and enhance our security posture and lower cybersecurity risk. In addition to our own systems and technology, we rely on third-party service providers for certain software, technology and cloud-based systems and services that support a variety of critical business operations. We have policies and processes designed to identify, assess and manage cybersecurity risk relating to these third-party service providers. When contracting with these providers, the procurement function works closely with the compliance and legal teams to conduct diligence and help appropriately manage risk, including cybersecurity risk, throughout the life cycle of the contract. We have developed, and seek to incorporate, standard contractual security requirements into our service provider agreements. We also perform cybersecurity assessments of third-party service providers where we deem appropriate given the nature of the engagement and the data and systems expected to be accessed. We have not identified any cybersecurity threats, including as a result of any previous cybersecurity incidents, that have materially affected or are reasonably likely to materially affect our business strategy, results of operations, or financial situation. However, despite our efforts to identify and respond to cybersecurity threats, we cannot eliminate all risks from cybersecurity threats or provide assurances that we have not experienced an undetected cybersecurity incident or will not experience a cybersecurity incident in the future. For additional information on cybersecurity related risks, see “Item 1A. Risk Factors” of this Annual Report on Form 10-K. Governance Several members of the Board comprise the Risk Management Committee (RMC), which is responsible, among other things, for oversight of cybersecurity risks based on the authority given by our Board of Directors. The RMC receives regular updates at least quarterly from management, including our Chief Information Officer (CIO) and our Information Security Officer (ISO) with evaluations of cyber risk, the threat environment, updates on incidents, and advancements on investments in cybersecurity risk reduction. Our CIO has been with the Company since January 2021 and has over 25 years of global experience. He has served in numerous senior leadership positions where he gained significant cybersecurity and risk management experience across multiple high-tech industries. Our ISO has been with the Company since July 2018 and similarly has over 25 years of extensive cybersecurity, risk and compliance experience including CISSP and CISM certifications. Information Security, Corporate Audit, Finance, Legal, Compliance and Investor Relations have a strong partnership at the management level and have established a Cybersecurity Council that connects the risk management and cybersecurity incident response processes. In the event of a cybersecurity breach, the ISO will inform the Cybersecurity Council, and then the Cybersecurity Council will determine materiality and next steps. The Cybersecurity Council will meet with the RMC and/or the full Board as needed to share details of the event and facilitate reporting to regulators as required.

Company Information