QuidelOrtho Corp 10-K Cybersecurity GRC - 2025-02-27

Page last updated on February 27, 2025

QuidelOrtho Corp reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-02-27 16:01:54 EST.

Filings

10-K filed on 2025-02-27

QuidelOrtho Corp filed a 10-K at 2025-02-27 16:01:54 EST
Accession Number: 0001906324-25-000035

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity We are committed to maintaining effective governance and oversight of cybersecurity risks. Our cybersecurity strategy focuses on implementing effective and efficient mechanisms, controls, technologies, systems and other processes across our global IT networks and systems to assess, identify and manage material risks from potential unauthorized occurrences on or through our IT systems that may result in adverse effects on the confidentiality, integrity or availability of our IT systems and the data residing therein. These processes are designed to promote (i) robust controls across our IT ecosystem, (ii) transparency across our IT infrastructure so that our information security team can detect, identify and escalate anomalies for further analysis and action, and (iii) a sound enterprise security architecture with security integrated into each phase of system implementation. We believe that the processes and controls we have established to protect our stakeholders’ interests, including with respect to our current regulated products and internal systems, are robust and generally aligned with applicable cybersecurity regulations and informed in part by certain industry standards, principles and frameworks, such as those set by the National Institute of Standards and Technology. This includes security by design, regular penetration testing, vulnerability scanning and standardization where possible of cybersecurity architecture principles. Our cybersecurity risk management is part of our broader enterprise risk management process, which is managed by our internal audit team with oversight from our executive leadership, and ultimately, the Audit Committee and the Board. Supported by a global team of information security professionals, we have in place a variety of tools, processes and services designed to identify the impacts of changing cybersecurity threats within our IT networks and systems and those networks and systems managed by key vendors or third parties. Cybersecurity risks are identified, quantified and mitigated by leveraging detection and preventive technologies, including security monitoring, intrusion detection and prevention systems, routine risk assessments, a vulnerability management infrastructure and a global incident response program. In addition, we also periodically consult with outside advisors and experts on security controls of our products and manufacturing sites and to anticipate future trends, such as threats and issues within the healthcare industry as well as updates on key regulatory changes, including evolving cybersecurity policies and mandates from the FDA and the Cybersecurity and Infrastructure Security Agency. Components of our cybersecurity program are also evaluated by third parties such as our customers, external auditors and government agencies. We identify and address cybersecurity risks associated with key third-party service providers through security and privacy assessments prior to engaging these third parties, the breadth of which is determined by factors such as the type of data, if any, the third party will have access to, whether the third party will have access to our networks and systems, and whether the third party will provide hardware or software to be used in our products or elsewhere in our organization. Depending on the results of these assessments, we may conduct further assessments prior to or periodically throughout the course of our engagement, limit or cease plans to engage the third party, or negotiate specific contractual protections or remediation provisions. We also aim to improve our identity and access management by limiting individuals’ access to information only to that which is necessary to conduct their official duties and granting individuals access privileges only to user accounts or processes that are essential to perform their intended functions. Multi-factor authentication and role-based access controls are also core elements of our identity and access management processes. Additionally, we periodically offer training and education to our employees on cyber risks and remind our employees of critical end-user best practices, such as current phishing trends. Information security risk is managed by a cross-functional team, which includes our procurement, compliance, privacy and legal teams, allowing for a holistic view of risks related to the safety and privacy of critical data, such as customer account details, financial 49 data and intellectual property. We aim to secure our data and information throughout their lifecycle - from creation, collection and processing to dissemination, use, storage and disposition. While we have not identified any cybersecurity threats or incidents that have materially affected us since the beginning of the last fiscal year, there can be no guarantee that we will not be the subject of future successful attacks, threats or incidents that could materially affect us. Additional information on cybersecurity risks we face is discussed in Part I, Item 1A, “Risk Factors,” under the heading “Risks Relating to Our IT Systems.” Oversight of cybersecurity risk involves a three-tiered hierarchy designed to leverage the appropriate level of expertise to assess and manage such risks. This consists of our CISO, SGC and the Audit Committee . Our CISO is primarily responsible for our global information security program. In this role, the CISO is responsible for the effective operation of our information security controls and management of information security and cybersecurity risks across the enterprise, including within our products and operations. The CISO also aligns our information security strategy with our business and technical strategies and integrates, where possible, security initiatives into roadmaps of other functions to promote accountability and awareness. The CISO is also responsible for developing and implementing our information security policies and standards in accordance with applicable global regulatory requirements and facilitating updates to these policies and standards at least annually. Our CISO has over 20 years of global information security leadership experience across financial services, legal and medical device industries and over 35 years of broader IT experience. The SGC is comprised of members of our executive leadership team, including the CEO; CFO; Chief Operations Officer; Chief Legal Officer; Vice President, Information Technology; and CISO. The CISO reports to the SGC on a regular basis, and informs the committee of critical risks that could potentially affect our information security and cybersecurity posture, as well as regulatory compliance; the status of key projects designed to evolve our information security programs; and any significant cybersecurity issues, incidents and patterns of events. The SGC has the authority to (i) investigate any matter brought to its attention that may impact our ability to adequately protect our information assets and (ii) involve its members, the Board, other steering committees, government agencies and law enforcement, as it deems appropriate, to respond to and remediate such matters. The CISO provides updates to the SGC during the course of significant cybersecurity incidents and in parallel, response teams partner with our IT and legal teams, law enforcement and others as needed to triage and remediate such incidents. Following such events, we implement changes as appropriate to improve our risk mitigation and remediation capabilities as cyber threats evolve. The Audit Committee oversees our cybersecurity risk management and strategy and has an oversight role that involves reviewing, establishing policies for, and assessing the efficacy of processes used to evaluate significant risk exposures and the measures management implements to mitigate these risks. The Audit Committee is informed about cybersecurity risks through regular management reports on the performance of internal and/or external cybersecurity audits and assessments and the effectiveness of existing cybersecurity practices. The Vice President, Information Technology, CISO, additional members of the SGC, and other personnel also annually update the Audit Committee on material cybersecurity risks, significant cybersecurity incidents, mitigation measures and impacts to the Company. The Board receives updates from management, including the Vice President, Information Technology, and the Audit Committee on cybersecurity risks on at least an annual basis. 50

Company Information