OWENS & MINOR INC/VA/ 10-K Cybersecurity GRC - 2024-02-20

Page last updated on April 11, 2024

OWENS & MINOR INC/VA/ reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-02-20 16:49:22 EST.

Filings

10-K filed on 2024-02-20

OWENS & MINOR INC/VA/ filed an 10-K at 2024-02-20 16:49:22 EST
Accession Number: 0001558370-24-001369

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity Our Cybersecurity program is managed by our Chief Information Security Officer (CISO). The CISO is responsible for developing and managing the overall strategy, leading the response to cybersecurity incidents and reporting to the Board. The Audit Committee of the Board monitors our information security programs, including our cybersecurity risk management program, and receives updates quarterly, or more frequently as determined appropriate, from management on our cybersecurity program and systems protection. Our CISO has over twenty-five years of experience in cybersecurity and holds active Certified Information Systems Security Professional and Certified Information Security Manager certifications. Our policies require 31 Table of Contents teammates, contractors, service providers and suppliers who become aware of a cybersecurity incident or the individual s supervisor must immediately report the cybersecurity incident to the appropriate reporting channels, which include the CISO. In the event of a cybersecurity incident, in addition to the standing members, teammates would be selected to serve on the Cybersecurity Incident Response Team (CIRT) based on the facts and circumstances of the particular cybersecurity incident. Additionally, our outside legal counsel is held on retainer to assist with our response to cybersecurity incidents. We model our cybersecurity program to align with practices and standards referenced within the National Institute of Standards and Technology cybersecurity framework. Our information security program is integrated within our larger enterprise risk management program and includes, but is not limited to: Following the methodology of Identify, Protect, Detect, Respond, and Recover; Mandatory annual cybersecurity awareness training for all teammates accessing our network; Monthly Company-wide phishing prevention and awareness exercises; Identification and remediation of information security risks and vulnerabilities in our information technology systems, including regular scanning of both internal and externally facing systems and annual third-party penetration testing; Implementation of security technologies intended to identify and assist in containing and remediating malware risks; Active monitoring of logs and events for our network perimeter and internal systems; Due diligence of information security maintained by third-party vendors that handle our data; Partnering with the Cybersecurity and Infrastructure Security Agency (CISA), DHS, and the Federal Bureau of Investigation, to leverage their provided sensitive or confidential threat intel and with CISA for weekly vulnerability scans of our key public-facing servers; Maintaining a cyber insurance policy that provides coverage for security breach recovery and response; and Engagement of third party consultants to assess the health of our cybersecurity program. We maintain a Cybersecurity Incident Response Plan (CIRP) to assist in promptly responding to, resolving, and recovering from cybersecurity incidents. The CIRP includes guidelines for assessing, identifying, managing, reporting, including disclosure of material breaches with the SEC, and remediating cybersecurity incidents. Following a cybersecurity incident, external subject matter experts, including legal counsel are consulted to reduce the risk of further compromise to our information and to ensure proper reporting and documentation. The Audit Committee would be informed promptly of material cybersecurity incidents in the event that they arise. If a material cybersecurity incident were to occur, it could have a material effect on our business strategy, results of operations and financial condition . For more information see Item 1A. Risk Factors for the Risk Factor entitled Our operations depend on the proper functioning of information systems, and our business or results of operations could be adversely affected if we experience a cyberattack or other systems breach or failure .

Company Information