Fortrea Holdings Inc. 10-K Cybersecurity GRC - 2025-03-03

Page last updated on March 3, 2025

Fortrea Holdings Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-03-03 17:11:50 EST.

Filings

10-K filed on 2025-03-03

Fortrea Holdings Inc. filed a 10-K at 2025-03-03 17:11:50 EST
Accession Number: 0001965040-25-000015

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBERSECURITY Cybersecurity Cybersecurity Risk Management Program and Strategy Our cybersecurity risk management program (the “Cybersecurity Risk Management Program”) was designed to identify, manage, mitigate, and respond to ongoing cybersecurity threats and associated risks and is responsible for their escalation to the Board of Directors when determined to be material. The underlying controls utilized by these programs are based on industry recognized best practices and standards for cybersecurity and information technology which include the National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF) and the International Organization for Standardization (ISO) 27001:2022 Information Security Management Systems Requirements. The Cybersecurity Risk Management Program is administered through two primary channels: (i) Fortrea led cybersecurity services and capabilities, and (ii) trusted third-party partners delivering cybersecurity services overseen by our Cybersecurity leadership team. Both channels combined deliver the entire Cybersecurity Program, which includes key items such as: Cybersecurity risk management program, including, but not limited to, the following: - Risk assessment activities/analyses - Risk Committee oversight, documentation, escalation - Reporting of risk issues deemed material to our Audit Committee of the Board of Directors Global Cybersecurity services, including, but not limited to, the following: - 24x7 Security Operations and Incident Response - Identity Access Management support and governance - Security Architecture oversight and guidance - Governance, Risk and Compliance (“GRC”) functions such as third-party risk management, cybersecurity policies, training, and awareness - Annual and independent penetration testing and vulnerability scanning activities conducted by trusted third parties Third party risk management, including, but not limited to, the following: - Periodic third-party reviews and assessments measuring cybersecurity services capability and maturity. Cybersecurity risks are identified and documented by our cybersecurity team leadership, presented, and reviewed with the Fortrea Cybersecurity Risk Management Committee (the “Risk Committee”) as noted in the Governance of Cybersecurity section below. The Risk Committee, in conjunction with business stakeholders as required, evaluates risks which are presented to them to determine materiality. Cybersecurity risks deemed material are then formally agreed upon as items to be reported by the Chief Information Security Officer (“CISO”) to the Audit Committee. We have established plans to conduct periodic reviews and tabletop exercises to test various processes for preparedness in the event of a critical cybersecurity incident as well as include cybersecurity risk within our Enterprise Risk Management Framework. As part of our overall risk management strategy, we have secured comprehensive cyber insurance coverage. We regularly review and update our cybersecurity insurance coverage to align with the evolving nature of cyber threats and industry standards. Fortrea will continue to leverage our internal audit department to provide independent reviews and recommendations to enhance Fortrea’s ability to manage risks effectively, as well as pursue external certifications. Although unknown cybersecurity risks could materialize, including in connection with the implementation of independent systems following the Spin, we are not aware of any disclosures at this time which would be considered material risks and associated with cybersecurity threats or incidents. Refer to Part I, Item 1A. “Risk Factors” of this Annual Report on Form 10-K for further discussion of cybersecurity risks. Governance of Cybersecurity The Fortrea Audit Committee has been authorized by the Board of Directors to oversee risks from cybersecurity threats. We have established a Risk Committee chaired by the CISO and chartered to determine and execute the processes for the identification and management of material cybersecurity risks. The Risk Committee is comprised of cross-functional executive leaders who can assess materiality impact and are accountable for materiality disclosure. The CISO is responsible for reporting on the state of cybersecurity to the Audit Committee on a quarterly basis, including those risks deemed material by the Risk Committee. Our CISO has more than 25 years of experience building and leading cybersecurity programs for global healthcare and retail companies. The cybersecurity leadership team reporting to the CISO is comprised of leaders with skills in cybersecurity risk management, cybersecurity architecture, identity and access management, and cybersecurity operations and engineering. Their experience and certifications are commensurate with their roles.

Company Information