IDEXX LABORATORIES INC /DE 10-K Cybersecurity GRC - 2025-02-21

Page last updated on February 21, 2025

IDEXX LABORATORIES INC /DE reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-02-21 08:28:50 EST.

Filings

10-K filed on 2025-02-21

IDEXX LABORATORIES INC /DE filed a 10-K at 2025-02-21 08:28:50 EST
Accession Number: 0000874716-25-000037

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBERSECURITY Our Cybersecurity Risk Management Program Like other companies, we currently inhabit an environment of increasing global cybersecurity vulnerabilities and threats. We aim to effectively assess, identify, and manage material risks from these cybersecurity threats through our cybersecurity risk management program. Our cybersecurity risk management program includes processes that incorporate and utilize certain principles from the National Institute of Standards and Technology Cybersecurity Framework and the Center for Internet Security - Top 18 Critical Security Controls - Control Level Framework. The program aims to protect and preserve the security, availability, integrity, confidentiality, and privacy of our information systems and information residing on those systems and includes controls and procedures for the prevention, identification, containment, and remediation of cybersecurity threats through the use of various technologies, tools, policies, standards, and practices. Features of our cybersecurity risk management program include: - An expectation, set forth in our Code of Ethics, that all employees are responsible for protecting our data, operations and environment from unauthorized access and use; - Regular cybersecurity risk assessments and benchmarking; - Policies and processes related to the detection and reporting of and response to cybersecurity events; - Cybersecurity training for all newly hired employees upon onboarding; - Individualized, biannual employee information security assessments, coupled with tailored follow-on employee trainings; - Phishing tests conducted at least quarterly on a global basis, with additional periodic phishing tests conducted with high-risk employee groups; - Channels for employees to report suspicious emails or other activity and the actual or suspected loss, theft, improper use of or access to IDEXX systems or information; - Deployment and ongoing assessment of the effectiveness of technological tools aimed at preventing, detecting, and mitigating cybersecurity threats; - Policies and procedures to assess third-party service provider cybersecurity risks and security controls and measures (as part of our procurement process and periodically thereafter); - Periodic performance of cybersecurity tabletop exercises; - Regular review of and, as applicable, updates to our cyber incident response plan and protocols, system backup measures, redundancy planning and disaster recovery plans; and - Maintenance of a cyber risk insurance policy to help address risk of loss due to certain types of cybersecurity events. A review of cybersecurity risks is integrated into our annual enterprise risk assessment that occurs as part of our annual strategic planning process and is included in our quarterly disclosure controls and procedures. Our annual enterprise risk assessment process involves the identification and assessment by senior line-of-business and functional leaders, as well as our Chief Information Security Officer (“CISO”) and Chief Information Officer (“CIO”), of the risks relevant to their lines of business and functional areas, the materiality of those risks, our risk tolerances and our plans to manage and mitigate the risks to the extent prudent and feasible. From time to time, we engage third parties, including assessors, consultants, legal counsel, and others to conduct penetration testing, assess our program, provide recommendations for improvement, and advise us on best practices. 33 Material Effects from Risks of Cybersecurity Threats We do not believe any risks from cybersecurity threats (including from any prior cybersecurity incidents) have materially affected or are reasonably likely to materially affect us, including our business strategy, results of operations, or financial condition. There can be no assurances, however, that we or our business partners or suppliers will not experience a future system disruption, attack or security breach that materially impacts our business, operations, results of operations, or financial condition. For more information refer to “Item 1A. Risk Factors, General Risks, We depend on the continuous and reliable operation and security of our information technology systems and our products and services that incorporate or rely on information technology, and any disruption or significant cybersecurity breach or other incident could adversely affect our business.” Governance of our Cybersecurity Risk Management Program Role of Management Our cybersecurity risk management program and activities are led by a dedicated CISO who is also our Vice President of Information Technology. Our CISO reports to our Senior Vice President and CIO, and oversees a team of information security professionals within the Information Security Group. Our CISO joined IDEXX in 2024 and has more than twenty years of business and technical experience leading information technology teams, including cybersecurity teams, at high tech, marketing and healthcare companies. Our CISO, in close collaboration with our CIO is responsible for our cybersecurity-related governance programs, overseeing testing of our compliance with standards and remediation of known risks, and leads our employee training program. Our CISO is responsible for providing information regarding our cybersecurity risk management program, as well as cybersecurity risks and incidents, to a senior management-level cybersecurity steering committee. Within our cybersecurity risk governance model, the steering committee, which includes our CIO, CISO, General Counsel, Chief Compliance Officer, Chief Audit Executive, Chief Human Resources Officer and other senior functional and business leaders, meets quarterly, and more frequently as warranted, to review and discuss, among other things, our cybersecurity risk assessments, prioritization of initiatives, training plans and incident response plan, protocols and testing. This committee regularly provides updates on its discussions and decisions to our Chief Executive Officer. Role of the Board of Directors T he Audit Committee has responsibility for overseeing our cybersecurity risk management. In accordance with the Audit Committee’s charter, the Audit Committee at least annually reviews and discusses with management, including the CIO and CISO, our processes, policies, procedures, and protocols related to cybersecurity and information security. In addition, the Audit Committee regularly reviews and discusses with management, including the CIO and CISO, cybersecurity program assessments and audits, planned improvements and the status of any information security initiatives, as well as risks from cybersecurity threats pertinent to us and any previous cybersecurity incidents experienced by us, including any material impact or reasonably likely material impact on the Company, our business strategy, results of operations, or financial condition. The Audit Committee provides reports to the Board at each regularly scheduled Board meeting of the matters it has recently addressed, including relating to the oversight of our cybersecurity risk management, and the full Board may participate, as warranted, in the Audit Committee’s sessions on cybersecurity risk management. Outside advisors also may meet from time to time with the Audit Committee or Board, as warranted, to review and discuss cybersecurity matters. 34

Company Information