ALIGN TECHNOLOGY INC 10-K Cybersecurity GRC - 2025-02-28

Page last updated on March 3, 2025

ALIGN TECHNOLOGY INC reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-02-28 07:03:45 EST.

Filings

10-K filed on 2025-02-28

ALIGN TECHNOLOGY INC filed a 10-K at 2025-02-28 07:03:45 EST
Accession Number: 0001097149-25-000012

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity. Overview We have implemented a cross-functional information security program to assess, identify and manage material risks from cybersecurity risk, which includes seeking input from our employees, management, third-party vendors, the Audit Committee of the Board of Directors (“Audit Committee”) and the Board of Directors. Our information security program’s ultimate goal is preventing cybersecurity incidents to the extent feasible, while simultaneously increasing our system resilience to minimize the business impact should an incident occur. In the event of an identified cybersecurity incident, we have developed a detailed cybersecurity incident response process, which outlines the steps to be followed from incident detection, analysis, containment, eradication, recovery and notification, including notifying functional areas (e.g. information technology, legal, finance, operations, privacy), as well as senior leadership and the Audit Committee, as appropriate. In certain instances, incidents are escalated to certain members of our legal team who are responsible for, among other things, the accurate and timely disclosure of material cybersecurity incidents required under federal securities laws, including making the materiality determination and approving related securities disclosures. Risk Management and Strategy Our information security program devotes significant resources to cybersecurity and risk management processes to adapt to the changing cybersecurity landscape and respond to emerging threats in a timely and effective manner. We regularly assess the threat landscape and take a holistic view of cybersecurity risks, with a layered cybersecurity strategy based on prevention, detection and response. Our information security program leverages the National Institute of Standards and Technology (NIST) and International Organization for Standardization (ISO) 27001 frameworks choosing to organize our cybersecurity risks into five categories: identify, protect, detect, respond and recover. This does not imply that we meet any particular technical standards, specifications, or requirements, only that we use the NIST and ISO frameworks as a guide to help us identify, assess, and manage cybersecurity risks relevant to our business. Our information security program is integrated into our overall enterprise risk management program. Our information security program includes, among other things: - cybersecurity incident response; - vulnerability management; 35 - antivirus and malware protection; - technology compliance and risk management; - encryption; - identity and access management; - application security; and - security monitoring. Our information security program also includes an information security awareness program, which includes annual training regarding our acceptable use and information classification and handling policies, regular phishing campaigns complemented by additional employee training as appropriate, and communications and companion trainings to keep users informed on current events. Our information security team engages third-party services to conduct evaluations of our security controls, including penetration testing and independent audits. Annually, an external auditor conducts a System and Organization Controls (“SOC”) type 2 audit covering the security principle for systems supporting our products. Our assessment of risks associated with the use of third-party vendors is part of our overall cybersecurity risk management framework. If a third-party vendor is unable to provide a SOC 1 or SOC 2 report, our information security team takes additional steps to assess its cybersecurity preparedness and our initiation or continued engagement with it. Additionally, third-party vendors are required to include security and privacy addenda to our contracts where determined applicable and are reassessed periodically as necessary depending on the risk level that has been assigned to the third-party vendor. Our legal team also requires that our third-party vendors report cybersecurity incidents to us so the impact of the incident on us can be assessed. As of the date of this Annual Report on Form 10-K, we have not identified any risks from known cybersecurity threats, including as a result of any previous cybersecurity incidents, that have materially affected or are reasonably likely to materially affect us, including our business strategy, results of operations or financial condition. Notwithstanding the approach we take to cybersecurity, we may not successfully prevent or mitigate cybersecurity incidents that could have a material adverse effect on us. While we maintain cybersecurity insurance, the costs related to cybersecurity threats or disruptions may not be covered or, if covered, fully insured. For a discussion of our cybersecurity-related risks, see Part I, Item 1A of this Annual Report on Form 10-K under the heading “Risk Factors.” Governance Role of Management To more effectively assess and manage cybersecurity threats, we have a dedicated Chief Information Security Officer (“CISO”) who is responsible for leading enterprise-wide information security strategy, policy, process, and technology. Our current CISO has 20+ years of information security and risk management experience and holds a Certified Information Systems Security Professional (CISSP) certification. Our CISO regularly briefs our Audit Committee on our cybersecurity and information security program and cybersecurity incidents deemed to pose a risk of a critical business impact or reputational harm. Our information security team, comprised of employees with an expertise in cybersecurity and information technology, regularly assesses the threat landscape and takes a holistic view of cybersecurity risks, with a layered cybersecurity strategy based on prevention, detection and response. Our information security team annually performs a cybersecurity enterprise risk assessment and presents the results to management and the Audit Committee. In addition, our internal audit team conducts periodic audits of the Company’s systems and cybersecurity processes, with findings reported to the Audit Committee and senior management. Role of the Board of Directors and the Audit Committee Our Audit Committee has responsibility for overseeing and reviewing our cybersecurity, data privacy, and other information technology risks, controls and procedures, including our plans to mitigate cybersecurity risks and to respond to data breaches. Our Audit Committee also reviews with management any specific cybersecurity issues that could affect the adequacy of our internal controls and disclosure procedures and any public disclosures about our cybersecurity controls and procedures, the Board of Directors’ cybersecurity expertise, and its oversight of cybersecurity risk. The Audit Committee periodically reports on its review of cybersecurity risks and our cybersecurity program to our Board of Directors . In 2024, our CISO or his team met with the Audit Committee four times to discuss cybersecurity risks and threats. 36

Company Information