3D SYSTEMS CORP 10-K Cybersecurity GRC - 2025-03-26

Page last updated on March 27, 2025

3D SYSTEMS CORP reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-03-26 18:23:43 EDT.

Filings

10-K filed on 2025-03-26

3D SYSTEMS CORP filed a 10-K at 2025-03-26 18:23:43 EDT
Accession Number: 0000910638-25-000005

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity We recognize the critical importance of maintaining the safety and security of our systems and data. We have implemented a layered cybersecurity program to assess, identify, and manage risks from cybersecurity threats that may result in material adverse effects on the confidentiality, integrity, and availability of our information systems. Governance As part of the Company’s risk management activities, we prioritize the identification and management of risks which includes risks related to cybersecurity. Board of Directors Our Board has delegated to the Audit Committee the oversight of cybersecurity risks, including overseeing the actions management has taken to monitor or mitigate such exposure. The Audit Committee reviews the measures implemented by the Company to identify and mitigate data protection and cybersecurity risks on a periodic basis. As part of such reviews, the Audit Committee receives reports and presentations from members of the team responsible for overseeing the Company’s cybersecurity program, including the Chief Information Officer (CIO), which address a wide range of topics including recent developments, evolving standards, vulnerability assessments, third-party and independent reviews, the threat environment, and technological trends. The Audit Committee and such members of our management team also report to the Board at least annually on cybersecurity matters. We have defined guidelines by which certain cybersecurity incidents are escalated within the Company and, where appropriate, reported promptly to the Audit Committee and the Board, as well as ongoing updates regarding any such incident. 26 Management At the management level, our CIO and Head of Cybersecurity have extensive cybersecurity knowledge and skills gained from work experience at the Company and other publicly traded companies. Our CIO has worked in the IT industry for numerous private and publicly traded companies for more than 35 years. During this time, he has led both the IT and Cybersecurity efforts. He holds both a bachelor’s degree and an MBA, and has obtained numerous certifications throughout his career, including a Project Management Professional (PMP) and Cisco certified Network Professional (CCNP). Our Head of Cybersecurity has worked in the Cybersecurity industry for more than 22 years. He has also worked in leadership roles at numerous private and public companies, and holds a bachelor’s degree and a Master’s Degree in Cybersecurity. He has obtained numerous certifications, including a Certified Ethical Hacker (CEH), Computer Hacking Forensic Investigator (CHFI), and is a Certified Chief Information Security Officer (C|CISO). He is a founding member of the Carolina CISO leadership network. Together, they have also had extensive training and hands-on experience with quality management, process efficiency, auditing, and security incident management and response. They lead the team responsible for implementing, monitoring, and maintaining cybersecurity, including data protection practices across our business. The Head of Cybersecurity receives reports on cybersecurity threats from both our internal and external partners on a regular basis. The Chief Administrative Officer and Chief Executive Officer receive regular reports from the Head of Cybersecurity and the CIO on the cyber program and measures implemented by the Company to identify and mitigate cybersecurity risks. Our CIO and Head of Cybersecurity work closely with our Company’s Legal and Compliance teams to oversee compliance with legal, regulatory, and contractual security requirements, and also attend meetings with the Audit Committee and the Board that include cybersecurity updates. Internal Cybersecurity Team Our internal Cybersecurity Team, led by the Head of Cybersecurity, is responsible for the implementation, monitoring, and maintenance of our cybersecurity program, including the Company’s data protection practices. Reporting to our Head of Cybersecurity are a number of experienced and trained information security professionals who have previous work experience and educational backgrounds in information technology and security, and who also have industry recognized cybersecurity certifications. In addition to our internal cybersecurity capabilities, we also utilize a number of third-party experts to assist with assessing, identifying, and managing our cybersecurity risks. Risk Management and Strategy Each year, we conduct an enterprise risk evaluation by reviewing our progress on existing risk action plans, assessing the current environment against our risk universe, and gathering insights through engagement with senior leadership. The results of this assessment are summarized, a risk owner is assigned, and the identified risks are integrated into the strategic planning process. Risks are monitored throughout the year as part of ongoing business reviews. Additionally, the results of our cybersecurity program risk review are integrated into enterprise risk management results. Cybersecurity risks are assessed alongside other enterprise risks, with specific actions and mitigation strategies incorporated into the overall risk action plans, ensuring alignment with the Company’s broader risk management and strategic objectives. As progress is made in our cybersecurity program, the risk level is updated in our broader enterprise risk management program. Our cybersecurity program leverages people, processes, and technology to identify and respond to cybersecurity threats in a timely manner. We maintain continuous monitoring of our network and also assess, identify, and manage risks from cybersecurity threats through various mechanisms, which may include incident response planning, risk assessments, control gap analyses, threat modeling, penetration tests, and vulnerability scanning. Our cybersecurity assessment analyses have identified and prioritized steps to further enhance our cybersecurity practices. We maintain cyber insurance, regularly conduct company-wide cybersecurity awareness training, and have a dedicated team of Company personnel to address cybersecurity threats. We intend to implement additional security measures and processes to enhance our detection and response to cybersecurity incidents as appropriate. We have adopted a Cybersecurity Incident Response Plan (the “IRP”) to provide a standardized framework for responding to and escalating security incidents. The IRP sets out a coordinated approach to investigating, containing, documenting, and mitigating incidents, including reporting findings and keeping senior management and other key stakeholders informed and involved as needed. 27 Material Cybersecurity Risks, Threats & Incidents To date, risks from cybersecurity threats, including as a result of previous cybersecurity incidents, have not materially affected us, including our business strategy, results of operations, or financial condition, but we face certain ongoing risks from cybersecurity threats that, if realized, are reasonably likely to have such an affect. Additional information on cybersecurity risks we face can be found in Part I, Item 1A “Risk Factors” of this Report under the heading " Our business could be adversely impacted in the event of a failure of our information technology infrastructure or a successful cybersecurity incident ," which should be read in conjunction with the foregoing information.

Company Information