DENTSPLY SIRONA Inc. 10-K Cybersecurity GRC - 2025-02-27

Page last updated on February 27, 2025

DENTSPLY SIRONA Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-02-27 17:03:28 EST.

Filings

10-K filed on 2025-02-27

DENTSPLY SIRONA Inc. filed a 10-K at 2025-02-27 17:03:28 EST
Accession Number: 0000818479-25-000035

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity Risk Management and Strategy The Company maintains a comprehensive process for assessing, identifying, and managing material risks from cybersecurity threats. These include risks relating to disruption of business operations or financial reporting systems, intellectual property theft, exposure to fraud or extortion, harm to employees or customers, violation of privacy laws or other regulatory and compliance lapses, reputational risk, and inability to consistently deliver digital technologies. For more information on the Company’s risks related to cybersecurity, refer to “Risk Factors” in Item 1A of this Annual Report on Form 10-K. Identifying and assessing cybersecurity risk is fully integrated into our overall risk management systems and processes. The Company has established a cybersecurity and information security program that includes risk assessment and mitigation through a threat intelligence-driven approach, application controls, and enhanced security with ransomware defense. We leverage the standards set by the National Institute of Standards and Technology (“NIST”) Cybersecurity Framework as well as industry best practices to measure our security posture and manage risk. Our security program under this framework utilizes policies, software, training programs and hardware solutions to protect and monitor our environment, including multi-factor authentication on all critical systems, firewalls, intrusion detection and prevention systems, vulnerability and penetration testing and identity management systems. Our Chief Information Officer (“CIO”), who reports directly to the Chief Executive Officer, oversees the Company’s approach to managing cybersecurity and digital risk. Our CIO also regularly engages with cross-functional teams at the Company and partners with our dedicated technology risk management and privacy teams and collaborates with our internal audit department to review information technology-related internal controls as part of the overall internal controls process. Our information security strategic plan includes the development of a single detection and response team across both the corporate and product information and technology environments. We periodically conduct risk assessments to identify threats and vulnerabilities, and then determine the likelihood and impact for each risk using a qualitative risk assessment methodology. We identify risks from various sources, including vulnerability scans, penetration tests, vendor risk assessments, product and services audits, internal compliance assessments and threat-hunting operations. We monitor our infrastructure and applications to identify evolving cyber threats, scan for vulnerabilities and mitigate risks. With oversight from our Board of Directors, the Company has formally adopted and annually updates a Security Incident Response Plan which coordinates the activities we undertake to prepare for, detect, respond to and recover from cybersecurity incidents. These activities include processes to triage, assess the severity of, escalate, contain, investigate, and remediate incidents, as well as to comply with potentially applicable legal obligations and mitigate brand and reputational damage. Our incident response plan establishes a framework for measuring the severity of security incidents and provides for a post-market response program including protocols for coordination and communication between security response teams, designated leaders within the Company, internal and outside legal counsel, and the Audit and Finance Committee (“AFC”) of the Company’s Board of Directors in responding to any such incidents. Our cybersecurity and information security program also includes review and assessment by external, independent third parties, with whom we periodically consult on threat assessments and security enhancements, and incident response preparedness. We share threat intelligence and collaborate with organizations across different industries to share best practices, fight cybercrime, enhance privacy, discuss new technologies, better understand the evolving regulatory environment, and advance capabilities in these areas. Additionally, the Company uses a third-party risk management program that assesses risks from vendors and suppliers. In response to these assessments, we have developed contingency plans for business continuity if our vendors are subject to a cyberattack that impacts our use of their systems. 35 Our Information Security team conducts annual information security awareness training for employees involved in our systems and processes that handle customer data and audits of our systems and conducts enhanced training for specialized personnel. We also conduct cyber awareness training and simulate responses to cybersecurity incidents and use the findings to improve our practices, procedures, and technologies. The Company provides security awareness education and training for all employees and consultants, conducts monthly internal “phishing” testing and mandatory training for “clickers,” and publishes periodic cybersecurity newsletters to highlight any emerging or urgent security threats. Our business strategy, results of operations and financial condition have not been materially affected by risks from cybersecurity threats, including the impact of previous cybersecurity incidents, but we cannot provide assurance that they will not be materially affected in the future by such risks and any future material incidents. In the last three years, we have not experienced any material information security breach incidents. The Company maintains cybersecurity insurance, and as part of management oversight we regularly review our policy and levels of coverage based on current risks. Governance Management’s Role Managing Risk The cybersecurity risk management processes described above are managed by our CIO who reports directly to our Chief Executive Officer. Our CIO has over 20 years of experience in matters of cybersecurity and information systems including senior roles at other global publicly traded companies in various industries. Our CIO is a member of multiple professional organizations, and holds professional certifications from leading information, compliance, and privacy organizations. His in-depth knowledge and experience are instrumental in developing and executing our cybersecurity strategies. Our CIO oversees our governance programs, tests our compliance with standards, remediates known risks, and leads our employee training program. At the management level, our IT security team regularly monitors alerts and meets to discuss threat levels, trends and remediation, and the CIO is also continually informed about any developments in cybersecurity, including potential threats and industry techniques for risk management to address those threats. The role of the CIO includes implementation and oversight of effective processes to monitor our information systems, including the deployment of advanced security measures and regular system audits to identify potential vulnerabilities. The CIO regularly reports to senior management on our cybersecurity risks and actions taken to mitigate that risk. Board of Directors Oversight Our Board of Directors is committed to mitigating data privacy and cybersecurity risks and recognizes the importance of these issues as part of our risk management framework. The AFC is charged with oversight of data privacy and cybersecurity risks. Our CIO provides updates to either the AFC or to the full Board of Directors on a quarterly basis on our cybersecurity risks and actions taken to mitigate that risk. These briefings encompass a broad range of topics, including: - current cybersecurity landscape and emerging threats; - the status of ongoing cybersecurity initiatives and strategies; - compliance with regulatory requirements and industry standards; and - updates on the Company’s performance preparing for, preventing, detecting, responding to and recovering from cyber incidents. The CIO also promptly informs and updates the Company’s Board of Directors about any information security incidents that may pose significant risk to the Company. Our guidelines require that any significant cybersecurity matters including strategic risk management decisions are escalated to the Board of Directors to ensure that they have comprehensive oversight. The AFC conducts an annual review of the Company’s cybersecurity posture and the effectiveness of its risk management strategies. As part of this review, the Company’s cybersecurity program is periodically evaluated by external experts, and the results of those reviews are reported to the Company’s Board of Directors. This review helps in identifying areas for improvement and ensuring the alignment of cybersecurity efforts with the overall risk management framework. 36

Company Information