Envista Holdings Corp 10-K Cybersecurity GRC - 2025-02-13

Page last updated on February 14, 2025

Envista Holdings Corp reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-02-13 16:12:49 EST.

Filings

10-K filed on 2025-02-13

Envista Holdings Corp filed a 10-K at 2025-02-13 16:12:49 EST
Accession Number: 0001757073-25-000007

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBERSECURITY Risk Management and Strategy We are committed to taking action to protect our information assets and systems. We have an enterprise-wide information security program designed to identify, protect against, detect, and respond to and manage reasonably foreseeable cybersecurity risks and threats, including those associated with our use of third-party service providers. We have installed privacy/security protection systems and devices on our network in an attempt to prevent cyberthreats and other unauthorized access to information. Additionally, we conduct security risk assessments prior to engaging third party suppliers and other vendors and business partners to validate that they maintain appropriate safeguards to protect our and their information systems in connection with services they provide. This risk assessment is heightened with respect to vendors or business partners that have access to our critical systems and information. We have adopted an Information Security Policy applicable to all of our employees and business partners. We provide security awareness education and training for our employees annually, conduct regular internal “phishing” testing and mandatory training for “clickers,” and publish internal alerts to highlight any emerging or urgent security threats. We also maintain a Global Security Incident Response Plan (“GSIRP”) to guide our response in the event of a cyberattack or other form of network penetration. Our GSIRP is a cross functional plan that documents the details and decision-making processes required during a response to a security incident, as well as the reporting protocol with escalation timelines and responsibilities. We test our GSIRP with tabletop exercises administered by a third party security consultant. We leverage the standards set by the National Institute of Standards and Technology (“NIST”) Cybersecurity Framework as well as industry best practices to measure our security posture and manage risk. We also maintain cyber liability insurance to help mitigate potential liabilities resulting from cyber issues, although our insurer may deny coverage for a future claim or our insurance coverage may be insufficient to cover all losses from a cyberattack. We evaluate and manage risks relating to cybersecurity as part of our overall enterprise risk management program. We perform an annual assessment across the Company to identify and review potential risks. Risks are prioritized based on threat models to improve cybersecurity throughout the Company. Cybersecurity Governance Our Senior Director of Information Security reports to our Chief Information Officer and is responsible for leading our enterprise-wide information security team. The team focuses on developing and implementing strategies, processes and response plans to protect the confidentiality, integrity, and availability of our assets. Our Senior Director of Information Security has prior experience as a chief information security officer and over 25 years of experience in Technology and Security. Our security team also includes members who maintain industry security certificates. Our team is additionally supported by third parties to assist in the operations of our program, compliance audits and security penetration testing. Our Board of Directors oversees our enterprise risk management program. The Audit Committee of our Board of Directors has the responsibility of exercising oversight with respect to our cybersecurity risk management and risk controls. Our Chief Information Officer provides periodic reports to the Audit Committee regarding our cybersecurity program, including our information risk management and oversight, security education and training, cyber threat detection and response processes, and relevant internal and industry cybersecurity attacks. The Board also receives a report out on cybersecurity issues and governance at least annually, with periodic updates as needed. Board members receive periodic presentations on cybersecurity topics from our Chief Information Officer and external experts as part of the Board’s continuing education on topics that impact public companies. 45 Material Cybersecurity Risks, Threats, and Incidents Like most multinational corporations, our information technology systems have been subject to computer viruses, malicious codes, unauthorized access and other cyberattacks, and we expect the sophistication and frequency of such attacks to continue to increase. For example, during the second half of 2023, one of our largest distributors experienced a cybersecurity incident which impacted their ability to place orders and consequently impacted the timing of orders received. This incident, however, as well as other cyberattacks to date, did not have a material impact on our business strategy, results of operations or financial condition. There can be no assurance that future incidents will not materially affect us, including our business strategy, results of operations or financial condition. Please refer to “Item 1A. Risk Factors-Risks Related to Our Business” for further detail about the material cybersecurity risks we face.

Company Information