Solventum Corp 10-K Cybersecurity GRC - 2025-02-28

Page last updated on March 3, 2025

Solventum Corp reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-02-28 16:56:56 EST.

Filings

10-K filed on 2025-02-28

Solventum Corp filed a 10-K at 2025-02-28 16:56:56 EST
Accession Number: 0001964738-25-000019

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity Risk Management The Company has practices and procedures designed to proactively and comprehensively manage risks from cybersecurity threats. These processes are integrated into the Company’s overall enterprise risk management, as overseen by the Company’s board of directors (the “Board”), primarily through its committees, with its Audit Committee having direct oversight over cybersecurity matters. We identify and assess cybersecurity risk through various technologies, processes and policies that are regularly updated to align with the changing threat landscape, evolving business needs, as well as global regulatory requirements. Our cybersecurity risk mitigation involves a range of threat defense and protection measures such as monitoring of systems, threat containment methods, penetration testing, conducting crises simulations, identity and access management, vulnerability scanning, promoting security and privacy awareness training to our global employees, improving internal processes and following a system of controls, including but not limited to back-up protocols, system restoration processes, and end-point protection on Company devices. We seek to align our cybersecurity risk management with the NIST Cyber Security Framework, as well as industry best practices. Our cybersecurity incident response processes guide the detection, response and recovery from cybersecurity incidents and compliance with regulatory reporting requirements. We engage third-party consultants, external auditors, legal advisors and assessors to help evaluate our cybersecurity program to assist in conducting risk and maturity assessments and as part of our processes for oversight, identification, and management of material risks from cybersecurity threats. Our Third-Party Risk Management program oversees diligence relating to cybersecurity risks from third parties in our supply chain or that have access to our systems, data, or that house such systems or data. The program assesses cybersecurity risks of third-party posture, incidents and data breaches at the third parties identified through such diligence. Also, standard cybersecurity and privacy clauses are included in contracts where appropriate. A cross-functional Business Resiliency team oversees the adequacy of disaster recovery and business continuity considerations needed in response to cybersecurity threats and incidents. Governance Board of Directors The Audit Committee of our Board is responsible for the oversight of cybersecurity-related risks. The Audit Committee regularly receives reports from our Chief Information Security Officer (“CISO”), Chief Information and Digital Officer (“CIO”) and other members of management on cybersecurity threat risk management, including security posture improvements, results from third-party assessments, identified risks and progress towards risk-mitigation-related goals. The full Board receives a report from our CISO and other members of management annually. Management Our cybersecurity risk management and strategy processes are led by our CISO . The CISO works closely with the CIO, Chief Privacy Officer, and members of the legal team who report to the Chief Legal Affairs Officer to periodically review the cybersecurity program. The CISO has over 25 years of experience in cybersecurity, risk management, and compliance, and has served as the chief information security officer at other organizations. The Company’s CISO oversees the Company’s cybersecurity incident response plan and related processes that are designed to assess and manage material risks from cybersecurity threats. The Company’s CISO also coordinates with the Company’s Legal Affairs team and third parties, such as consultants and legal advisors, to assess and manage material risks from cybersecurity threats. The Company’s CISO is informed about and monitors the prevention, detection, mitigation, and remediation of cybersecurity incidents pursuant to criteria set forth in the Company’s incident response plan and related processes. Our Disclosure Committee, with the assistance of its Cybersecurity Subcommittee, is responsible for overseeing the establishment and effectiveness of controls and procedures related to the public disclosure of material cybersecurity matters. The Cybersecurity Subcommittee of the Disclosure Committee is comprised of the Controller and Chief Accounting Officer, Treasurer, Chief Legal Affairs Officer, Assistant Secretary, General Auditor, as well as the CISO, CIO and Chief Privacy Officer. The Cybersecurity Subcommittee receives, at least every quarter, a report from CISO on cybersecurity incidents and their mitigation, and remediation pursuant to incident response plan and related processes, as well as other relevant cybersecurity risk topics. As of the date of this Form 10-K, the Company is not aware of any risks from cybersecurity threats or cybersecurity incidents that have materially affected or are reasonably likely to materially affect the Company, including its business strategy, results of operations, or financial condition. For further discussion of the risks associated with cybersecurity incidents, see the cybersecurity risk factor of the section entitled “Item 1A. Risk Factors” in this Form 10-K.

Company Information