Sotera Health Co 10-K Cybersecurity GRC - 2025-02-27

Page last updated on February 27, 2025

Sotera Health Co reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-02-27 16:02:27 EST.

Filings

10-K filed on 2025-02-27

Sotera Health Co filed a 10-K at 2025-02-27 16:02:27 EST
Accession Number: 0001822479-25-000015

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity We rely on IT systems to conduct business, including but not limited to, interacting with customers and suppliers, fulfilling orders, generating invoices, collecting and making payments, fulfilling contractual obligations, communicating with internal and external stakeholders, and maintaining our business and financial records. In addition, we rely on networks and services, including internet sites, cloud and software-as-a-service solutions, data hosting and processing facilities and tools and other hardware, software and technical applications and platforms, some of which are managed, hosted, provided and/or used by third-parties or their vendors. As a result, the Company is subject to various risks related to vulnerabilities, threats and attacks on these IT systems. See Item 1A, “Risks Related to the Company-“Our business may be subject to system interruptions, cybersecurity incidents and unauthorized data disclosures.” under Item 1A. Risk Factors for additional discussion of these risks. Cybersecurity Risk Management and Strategy The Company has an enterprise risk management (“ERM”) program that includes the processes used to identify assess, and manage our most significant enterprise risks and uncertainties that could materially impact the long-term health of the Company or prevent the achievement of strategic objectives. These risks are identified, measured, monitored, and managed across key risk categories, which include the consideration of cybersecurity risks. The Company develops and maintains cybersecurity processes that protect the confidentiality, integrity and availability of Company, employee, customer and partner information against a growing number of cybersecurity threats and threat actors. Our cybersecurity program is designed to protect our infrastructure from potential threats, including threats associated with our third party business partners, to allow us to assess, identify and manage material risks from cybersecurity threats and to endeavor to secure the integrity of our data and IT systems using techniques, hardware, and software typical of companies of our size and scope, which are described further below. For example, we leverage the National Institute of Standards and Technology Cybersecurity Framework’s (“NIST CSF”) principles in developing our cybersecurity program to monitor our security environment and manage risk. However, this does not mean 44 that we meet any particular technical standards, specifications, or requirements, but rather that we use the NIST CSF as a guide to help us identify, assess, and manage cybersecurity risks and threats relevant to our business. The Company has adopted a risk-based strategy designed to achieve a targeted and cost-effective approach to managing cybersecurity risks that strengthens our abilities to prevent, detect, and respond to cybersecurity incidents. The Company has configured its IT environment, where possible, to restrict access using a least privileged methodology. We use various technologies and monitoring capabilities to detect anomalies and track information and assets. We have implemented a cybersecurity awareness program consisting of frequent training, phishing exercises, and bulletins regarding pertinent cybersecurity developments. We maintain and regularly update incident response, disaster recovery and business continuity plans and procedures. Our IT specialists subscribe to threat intelligence feeds and are members of cybersecurity-related associations such as the Information Systems Audit and Control Association, the Computing Technology Industry Association and the Cloud Security Alliance. We also maintain insurance coverage for cyber and data security risks of an amount and subject to conditions and exceptions that we believe are customary for companies like ours, but there can be no assurance that our levels of coverage are adequate or that we will be able to continue to maintain our existing insurance or obtain comparable insurance at a reasonable cost or at all. As of the date of this filing, we do not believe that any risks from cybersecurity threats, including as a result of past cybersecurity incidents have had, or are reasonably likely to have, a material effect on our business strategy, results of operations or financial condition, but we cannot assure that our business strategy, results of operations and financial condition will not be materially affected in the future by cybersecurity risks or future cybersecurity incidents. Although we have taken and will continue to take significant steps to protect the security and integrity of our information and although we have implemented policies and procedures to enhance data privacy and security, there can be no assurance that our efforts will prevent breakdowns, system failures, breaches of our systems or other cybersecurity incidents or otherwise be fully effective. Any such breakdown, breach or cybersecurity incident could adversely affect our business strategy, prospects, financial condition or results of operations, and any insurance that we may have for cybersecurity incidents may not cover such risks or be sufficient to compensate us for losses that may occur. Cybersecurity Governance Our Chief Information Officer (“CIO”) is responsible for assessing and managing cybersecurity risks. The CIO is supported by the Senior Director of IT Governance, Security, and Service Delivery and the Senior Director of Global Infrastructure, and Senior Information Security Architect, who manage our day-to-day cybersecurity-related matters and keep abreast of cybersecurity news, events and incidents through regular course monitoring and updates. Our CIO has over 12 years of professional experience in various roles involving managing information security, developing cybersecurity strategy, implementing cybersecurity programs, and managing multiple industry and regulatory compliance environments. Our CIO also holds a certificate in Cyber-Risk Oversight issued by the National Association of Corporate Directors. Our Senior Director of IT Governance, Security, and Service Delivery has over 15 years of professional experience in various roles involving managing information security, developing cybersecurity strategy, implementing cybersecurity programs, and managing industry and regulatory compliance environments. Our Senior Information Security Architect has over 20 years of professional experience designing secure architecture, conducting threat and risk assessments, incident response, cyber forensics, and teaching college and university level cybersecurity program courses. Our Senior Information Security Architect also holds a diverse set of certifications, including CISSP, CISCO Security +, CISA, CEH, CompTIA Sec +, and others. When detected, suspected cybersecurity threats are escalated to the CIO and incident response team. The CIO then creates a Cybersecurity Incident Response Team (“CSIRT”) which, depending on the incident, comprises the incident coordinator, cybersecurity staff, legal counsel and other stakeholders as appropriate. The CSIRT investigates and manages the impact of cybersecurity incidents in accordance with our security incident response procedures. Our board of directors and its audit committee oversee the Company’s ERM program, and the steps management has taken to monitor and mitigate such risks, including the Company’s procedures and any related policies with respect to enterprise risk assessment and risk management. The board of directors bears principal responsibility for overseeing the Company’s principal current and future risk exposures, and, on an annual basis, the board of directors reviews them, including cybersecurity risks and exposures. The board of directors’ review includes an annual session with our CIO on the Company’s procedures and policies for assessing and managing cybersecurity risks and disclosing any material cybersecurity incidents. In performing these oversight functions, the board of directors relies on advice, reports and opinions of management, counsel and our internal and external auditors, including mid-year and year-end cybersecurity inquiries by our external auditors on various aspects of the Company’s cybersecurity program, processes and training. 45 Use of Independent Experts The Company engages external resources in connection with our processes for assessing, identifying and managing material risks from cybersecurity threats. These resources include, but are not limited to, regular internal and external penetration tests and assessments of our cybersecurity program by third-party experts. We plan to continue to engage independent experts to periodically test our cybersecurity policies for their effectiveness.

Company Information