ARTIVION, INC. 10-K Cybersecurity GRC - 2025-02-28

Page last updated on March 3, 2025

ARTIVION, INC. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-02-28 14:28:16 EST.

Company Summary

Artivion is a biological medical device company, which has been focused on the development of implantable biological.

Filings

10-K filed on 2025-02-28

ARTIVION, INC. filed a 10-K at 2025-02-28 14:28:16 EST
Accession Number: 0000784199-25-000029

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity. Cybersecurity Risk Management and Strategy We recognize the importance of assessing, identifying, and managing material risks associated with cybersecurity threats, as such term is defined in Item 106(a) of Regulation S-K. These risks include, among other things, operational risks; intellectual property theft; fraud; extortion; harm to employees or customers; violation of privacy or security laws and other litigation and legal risk; and reputational risks. We have established cybersecurity measures, technologies, and controls to aid in our efforts to assess, identify, and manage such material risks. Our enterprise risk management framework assesses cybersecurity threats alongside other company risks as part of our overall risk assessment process. This approach involves collaboration between enterprise risk professionals and subject matter experts to identify and assess material cybersecurity threat risks, their severity, and potential mitigations. We leverage various tools and services, including network monitoring, vulnerability assessments, penetration testing, and tabletop exercises, to enhance our risk identification and assessment capabilities. Our cybersecurity-specific risk assessment process benchmarks our practices against standards set by the National Institute of Standards and Technology (“NIST”), International Organization for Standardization (“ISO”), and the Center for Internet Security (“CIS”), and includes penetration tests to evaluate the security of our information systems, as such term is defined in Item 106(a) of Regulation S-K. To safeguard critical data and systems, support regulatory compliance, manage our material risks from cybersecurity threats, and identify, assess and respond to potential cybersecurity incidents, as such term is defined in Item 106(a) of Regulation S-K, we: - Monitor emerging data protection laws and adjust our processes and procedures as required or appropriate; - Utilize Endpoint Detection and Response (EDR) tools to help us prevent, detect, and respond to endpoint threats with real-time visibility across our infrastructure and devices, enterprise-wide; - Provide periodic, but no less than annual, training on cybersecurity, data privacy, and data handling to all employees and contractors with access to our systems; - Conduct periodic, but no less than, annual cybersecurity management and incident response training for relevant personnel, utilizing Knowbe4 resources; - Implement regular phishing simulations and processes for reporting phishing events and concerns to enhance staff awareness, vigilance, and responsiveness; - Mandate that both employees and service providers treat sensitive data with utmost care, enforced through policies, practices, and contracts; - Employ elements of the NIST incident handling framework for identifying, protecting, detecting, responding to, and recovering from cybersecurity incidents; and - Maintain cybersecurity risk insurance to mitigate potential financial losses from incidents. Our incident response plan outlines our approach to preparing for, detecting, responding to, and recovering from cybersecurity incidents, including severity assessment, containment, investigation, and remediation processes. Our cybersecurity efforts involve regular engagement with external assessors, consultants, and auditors, including periodic reviews by an independent qualified security assessor to identify areas for improvement and support compliance, as well as assessments and audits by our insurer and our external auditing firm. We address cybersecurity risks related to third-party service providers by incorporating these risks into our enterprise risk management and cybersecurity-specific risk assessment programs. We conduct due diligence on third parties with access to our systems or data and require them to adhere to specified cybersecurity standards and audits. Our information systems have been subject to cybersecurity incidents in the past, including a cyber-attack identified and disclosed during the fourth quarter of 2024 (the “Cybersecurity Incident”) that temporarily disrupted our business operations, including our ERP systems, and had an impact on manufacturing, order processing, shipping, and other corporate operations. Although we are continuing to work with our insurer to recoup covered losses, we do expect to continue to incur expenses in connection with improving our global cybersecurity infrastructure and cybersecurity posture. As of the date of this Annual Report on Form 10-K, we believe that the Cybersecurity Incident has not materially impacted the Company, our overall financial condition or results of operations, and that the incident is not reasonably likely to materially impact the Company, our financial conditions or results of operations. In addition, we are not aware of any cybersecurity threats or cybersecurity incidents that have or would be reasonably likely to materially affect us, including our business strategy, results of operations or financial condition as of the date of this Annual Report on Form 10-K. This includes penalties and settlements, of which there were none. We are seeking reimbursement of costs, expenses and losses stemming from the Cybersecurity Incident by submitting claims to our cybersecurity insurer. The timing and amount of any such reimbursements are not known at this time. As discussed in more detail in Part II, Item 7, “Management’s Discussion and Analysis of Financial Condition and Results of Operations”, the Cybersecurity Incident had a $4.6 million impact on our results for the year ended December 31, 2024. To learn more about the risk and potential impact of cybersecurity threats on our business strategy, operations, and financial condition, including with respect to the Cybersecurity Incident, See Part I, Item 1A, “Risk Factors,” “Significant disruptions of information technology systems or breaches of information security systems could adversely affect our business”. Governance Cybersecurity is integrated with our overall risk management strategy and is an area of focus for our Board and management , with oversight at the executive level led by our Chief Financial Officer. The Audit Committee, and where applicable, other directors or the entire Board, are involved in overseeing cybersecurity risks. They receive quarterly and bi-annual updates, respectively, on our cybersecurity threat risk management and strategy processes, and may meet more frequently in response to specific threats or incidents. These updates, provided by our Chief Financial Officer and/or our global head of Information Technology, cover various cybersecurity topics, including data security posture, third-party assessment results, progress on risk mitigation goals, incident response plans, and select cybersecurity threat risks or incidents. The Board and Audit Committee also have discussions with our global head of Information Technology and engage in separate meetings to consider cybersecurity risks in the context of broader corporate matters. Our cybersecurity risk management and strategy processes are led by our global head of Information Technology who reports directly to our Chief Financial Officer and focus on preventing, mitigating, detecting and remediating cybersecurity incidents, as well as threat risks and related matters. The global head of Information Technology is part of our operating team and is responsible for implementing our cybersecurity risk management and strategy processes and the operation of our incident response and business continuity plan. Management uses information provided by our global head of Information Technology, along with feedback from external experts, the Audit Committee, and our Board, as part of the cyber-specific and enterprise-wide risk management process described above. Our information technology and cybersecurity team has approximately 35 years of collective experience in information security and cybersecurity strategy, with various roles in significant organizations. Team members’ relevant degrees and certifications include but are not limited to Certified Information Security Manager, Certified Information Systems Security Professional, Certified Ethical Hacker, Certified Penetration Tester, among others.


Company Information

NameARTIVION, INC.
CIK0000784199
SIC DescriptionSurgical & Medical Instruments & Apparatus
TickerAORT - NYSE
Website
CategoryLarge accelerated filer
Fiscal Year EndDecember 30