Varex Imaging Corp 10-K Cybersecurity GRC - 2024-11-19

Page last updated on November 19, 2024

Varex Imaging Corp reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-11-19 16:08:11 EST.

Filings

10-K filed on 2024-11-19

Varex Imaging Corp filed a 10-K at 2024-11-19 16:08:11 EST
Accession Number: 0001681622-24-000089

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity Cybersecurity Risk Management and Strategy We depend on information systems and technology in many aspects of our business, including running our manufacturing operations and communicating among our employees, suppliers and customers. Such uses of information systems and technology give rise to cybersecurity risks, including risk of system disruption, security breach, ransomware, theft, and inadvertent release of information. We have a risk-based cybersecurity program and a dedicated team of cybersecurity professionals focused on protecting our data and information systems. These cybersecurity threats and related risks make it necessary for us to stay apprised of developments in the information security field, and dedicate resources on cybersecurity. With Board of Directors and Audit Committee oversight, as part of our annual enterprise-wide risk management process, we assess and manage the material risks associated with cybersecurity. To identify, assess, and manage material cybersecurity risks, our team uses a cybersecurity risk assessment process aligned with leading frameworks such as the Cyber Security Framework of the National Institute of Standards and Technology (“NIST”) and the Center for Internet Security (“CIS”) Critical Security Controls. Our cybersecurity risk assessment program provides the underlying basis for the activities of our team to identify and mitigate risks from, as well as develop risk management and response strategies for, evolving and emerging cybersecurity threats. Our cybersecurity program includes a variety of processes to assess, identify and manage risks from cybersecurity threats arising from our own and third-party provided systems, including information security policies and procedures, simulation exercises, network and endpoint monitoring and detection tools, vulnerability management processes, risk assessments, third-party penetration testing and security requirements for our suppliers, vendors, and service providers. We have also engaged third parties to enhance and strengthen our cybersecurity program, to provide additional capabilities and support, and to provide periodic independent assessments and evaluations of our cybersecurity program, including through table top exercises to simulate responses to cybersecurity incidents, and other professional services. We also monitor and test our safeguards and train our employees on cybersecurity safeguards related to our information technology systems. Our employees are required to take periodic training on cybersecurity and data privacy, and we conduct regular phishing email simulations to enhance awareness and responsiveness to such possible threats. We carry information security risk insurance that provides protection against certain defined potential losses arising from a cybersecurity incident. In the event of a suspected incident, our incident response plan outlines the steps to be followed from incident detection to mitigation, recovery and notification, including notifying the head of our Information Technology department (“Head of IT”) and functional areas (e.g., legal and human resources) as appropriate. This includes processes for assessing such incidents for materiality, making required notifications, disclosures or communications and determining, among other things, whether any prohibition on the trading of our common stock by insiders should be imposed prior to the disclosure of information about a material cybersecurity event. 27 We describe whether and how risks from identified cybersecurity threats have materially affected or are reasonably likely to materially affect us, including our business strategy, results of operations, or financial condition, under Item 1A, “Risk Factors” in this Annual Report, which disclosures are incorporated by reference herein. In the last three fiscal years, we have not experienced any material cybersecurity incidents and the expenses we have incurred from cybersecurity incidents were immaterial. This includes penalties and settlements, of which there were none. Cybersecurity Governance Our Board of Directors, both directly and through the delegation of responsibilities to the Audit Committee, is responsible for the oversight of risks from cybersecurity threats. At least annually, the Audit Committee receives an overview from management of our cybersecurity strategy, programs, and risk mitigation activities, as well as other developments and action items related to cybersecurity. In its meetings, the Audit Committee has the opportunity to discuss these matters with the head of our Information Technology department and other members of executive management. Members of the Board are also encouraged to engage in ad hoc conversations with management on cybersecurity-related news events and discuss any updates to our cybersecurity risk management and strategy programs. Our cybersecurity risk management and strategy processes are managed by the head of our Information Technology department, and our IT team is responsible for enterprise-wide informational technology, coordinating with various functions and business groups to ensure they are following best practices. The head of our Information Technology department, along with our cybersecurity program manager, are principally responsible for overseeing the risks related to cybersecurity. They are responsible for cybersecurity incident preparedness, approving cybersecurity processes, reviewing security assessments and other security-related reports, and providing the senior leadership with regular updates on cybersecurity-related matters. These team members combined have more than 39 years of experience in technology and information security risk management across a number of organizations, have multiple relevant technical and governance certifications, and are active in a number of cybersecurity related boards and organizations.

Company Information