HOLOGIC INC 10-K Cybersecurity GRC - 2024-11-27

Page last updated on November 27, 2024

HOLOGIC INC reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-11-27 07:24:17 EST.

Filings

10-K filed on 2024-11-27

HOLOGIC INC filed a 10-K at 2024-11-27 07:24:17 EST
Accession Number: 0000859737-24-000024

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity Risk Management and Strategy We recognize the critical importance of developing, implementing, and maintaining robust cybersecurity measures designed to protect the security, confidentiality, integrity, and availability of our business systems and information. We base our cybersecurity risk management program upon and measure it against the National Institute of Standards and Technology (NIST) Cybersecurity Framework 2.0. Our cybersecurity risk management program includes the following: - A dedicated staff of cybersecurity and risk management professionals; - Defined security policies and standards; - Annual mandatory employee cybersecurity and privacy compliance awareness training; - Cybersecurity tooling for detecting and responding to cyber incidents; - Cybersecurity incident response and major crisis plans that govern activities such as detection, coordination, remediation, recovery, and escalation to senior management and, where appropriate, our Audit and Finance Committee and our Board; - Disaster recovery plans; - Periodic tabletop exercises to promote awareness and improve internal processes; - Periodic penetration testing and vulnerability management processes; and - Third-party risk assessments for suppliers and vendors, which may require such third parties to sign data processing agreements, comply with particular security controls, or complete an additional security and privacy assessment. Our program also utilizes third-party security providers for specialized areas, including penetration testing, staff augmentation, consulting and other on-demand cybersecurity services. We also leverage a managed security service provider to augment our cybersecurity organization and to provide additional monitoring and response capabilities. We have integrated cybersecurity related risks into our enterprise risk management program, which is designed to identify, prioritize, assess, monitor and mitigate the various risks confronting our Company, including both external and internal cybersecurity risks. When identified, risks are reported to relevant business and governance leaders within the Company for appropriate action. When potential improvements are identified, we weigh the costs and benefits of such improvements (including against other potential improvements) and, if selected, the improvements are added to a roadmap for possible implementation. As a global company, we manage a variety of cybersecurity threats and cannot wholly eliminate the risk of adverse impacts from such incidents. Further, the scope and impact of any future incident cannot be predicted. However, as of the date of this Form 10-K, we are not aware of cybersecurity threats, including as a result of any previous cybersecurity incidents, that have materially affected or are reasonably likely to materially affect us, including our business strategy, results of our operations or financial condition. For additional information on the risks from cybersecurity threats that we face, please refer to the “Risk Factors” in Part I, Item 1A. of this Form 10-K. Governance Our cybersecurity risk management program is led by our Chief Information Security Officer (CISO), who oversees a dedicated cybersecurity and risk management team, which works in partnership across the Company, under the direction of our Chief Information Officer (CIO). Our CISO has over 20 years of experience working in defense and cybersecurity and has served in various cybersecurity leadership roles within Fortune 500 companies. He and our cybersecurity team have extensive experience in leading and addressing IT risk management, security architecture and engineering, security operations, data security, and identity and access management. Our CISO also works closely with our legal team to oversee compliance with legal, regulatory and contractual security requirements. As part of management’s oversight of our cybersecurity program, we also maintain an executive-level cybersecurity steering committee, comprised of Hologic’s Chief Financial Officer, General Counsel, Head of Internal Audit, Chief Information Officer, Head of Human Resources, Head of Global Supply Chain, and Division President of Breast and Skeletal Health, to help address cybersecurity risks at an enterprise level. The cybersecurity steering committee is a decision-making body that coordinates and communicates the direction, current state, and oversight of our cybersecurity and risk management programs. While our Board oversees our overall risk management process, as part of its oversight, the Board has delegated primary responsibility for the oversight of cybersecurity risks, including management’s steps to monitor and control such risks, to our Audit and Finance Committee. On a quarterly basis, our CIO and CISO provide updates to the Audit and Finance Committee on the cybersecurity and related risk management programs, including recent developments and current risk assessments. Our CIO and CISO typically also meet in person with the Audit and Finance Committee twice annually for a more detailed discussion of significant threats, risk mitigation strategies, any security program assessments and identified improvements. Additionally, our CIO and CISO meet at least annually with the full Board and report on the Company’s Information Technology program and more specifically, cybersecurity matters.

Company Information