Lantheus Holdings, Inc. 10-K Cybersecurity GRC - 2024-02-22

Page last updated on April 11, 2024

Lantheus Holdings, Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-02-22 07:49:58 EST.

Filings

10-K filed on 2024-02-22

Lantheus Holdings, Inc. filed an 10-K at 2024-02-22 07:49:58 EST
Accession Number: 0001628280-24-006158

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity Risk management and strategy With respect to cybersecurity risks, we have invested and continually invest in new cybersecurity services, technologies, and capabilities. On an ongoing basis we provide our employees with comprehensive cybersecurity awareness training around phishing, malware and other cybersecurity risks, all in a manner reasonably intended to educate employees to safely avoid cyber attacks and mitigate the risk of employee related security breaches. In support of our cybersecurity program, our systems and services undergo regular reviews by management to determine if any insufficiencies in cybersecurity exist. If an incident is detected, the Cybersecurity team follows the incident response policy to investigate, review and determine the potential impacts of such an incident. If the Cybersecurity team determines that an incident could reasonably be expected to have an impact on the financial condition or operations of the Company, it escalates the incident to the crisis management team, which includes executive management. The crisis management team further evaluates the potential impact and materiality of an event and the 52 Table of Contents appropriate response required. The crisis management team coordinates the appropriate response effort and communicates, as applicable, to the Audit Committee. To the extent that Cybersecurity incident is determined to be material, the appropriate public disclosures are made. We monitor material risks from cybersecurity threats relating to potential compromises of sensitive information at our third-party business partners where relevant and reevaluate these risks periodically. We also perform third-party cybersecurity audits at least annually and conduct third-party security reviews and testing of our network, processes and systems periodically. Impact of cybersecurity risks on business strategy, results of operations or financial condition We rely on our computer networks and systems, some of which are managed by third-parties, to manage and store electronic information (including sensitive data such as confidential business information, personally identifiable data and personal health information), and to manage or support a variety of critical business processes and activities. We may face threats to our networks from unauthorized access, security breaches and other system disruptions. Despite our security measures, our infrastructure may be vulnerable to external or internal attacks. Any such security breach may compromise information stored on our networks and may result in significant data losses or theft of sensitive or proprietary information. A cybersecurity breach could hurt our reputation by adversely affecting the perception of customers and potential customers about the security of their orders and personal information, as well as the perception of our manufacturing partners of the security of their proprietary information. In addition, a cybersecurity attack could result in other negative consequences, including disruption of our internal operations, increased cybersecurity protection costs, lost revenue, regulatory actions or litigation. Any disruption of internal operations could also have a material adverse impact on our results of operations, financial condition and cash flows. As of the date of this report, we have not experienced any known cybersecurity incidents, or a series of related incidents, that have materially affected or are reasonably likely to affect us, including our business strategy, results of operations or financial condition. For an additional description of these cybersecurity risks and potential related impacts on us, see Risk Factors in Part I, Item 1A of this Annual Report on Form 10-K. Governance Our Board actively oversees our corporate strategy and enterprise risk management ( ERM ) programs, including those relating to cybersecurity and data privacy risks. Our Audit Committee and Nominating and Corporate Governance Committee are primarily responsible for, among other things, overseeing our compliance and ERM programs, information technology systems, and our processes and data, including cybersecurity and data privacy. These responsibilities include reviewing and discussing with management our policies and processes relating to risk assessment and risk management. Cybersecurity and data privacy are regular topics on the Audit Committee s agenda and management reviews at least quarterly the results of cybersecurity monitoring and discusses performance metrics, any incidents identified and potential recommended modifications to our technology, organization training, awareness and governance with our Audit Committee. A summary of these results are also reported by the Audit Committee to the Board at least annually. Management, including our Chief Information Officer ( CIO ), who has over 25 years of experience serving primarily in the life science industry and is a recognized industry leader, is responsible for monitoring and assessing cybersecurity risks. Management reviews and determines the effectiveness of both internal and third-party leveraged expertise to ensure we have the appropriate knowledge base for risk coverage. 53 Table of Contents

Company Information