Page last updated on April 11, 2024
FARO TECHNOLOGIES INC reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-02-27 17:32:17 EST.
Filings
10-K filed on 2024-02-27
FARO TECHNOLOGIES INC filed an 10-K at 2024-02-27 17:32:17 EST
Accession Number: 0000917491-24-000003
Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!
Item 1C. Cybersecurity.
Item 1C. Cybersecurity in this Annual Report on Form 10-K. Our sales to the U.S. government are subject to compliance with regulatory and contractual requirements, and noncompliance could expose us to liability or impede current or future business. The U.S. Government (the “Government”), as well as state and local governments, can typically terminate or modify their contracts with us either at their discretion or if we default by failing to perform under the terms of the applicable contract, which could expose us to liability and impede our ability to compete in the future for contracts and orders. The failure to comply with regulatory and contractual requirements could subject us to investigations, price reductions, up to treble damages, fines or other sanctions and penalties. Additionally, violations of certain regulatory and contractual requirements could also result in us being suspended or debarred from future government contracting. We have sold our products and related services to the Government under General Services Administration ( GSA ) Federal Supply Schedule contracts (the GSA Contracts ) since 2002. Each GSA Contract is subject to extensive legal and regulatory requirements and includes, among other provisions, a price reduction clause (the Price Reduction Clause ), which generally requires us to reduce the prices billed to the Government under the GSA Contracts to correspond to the lowest prices billed to certain benchmark customers. Late in the fourth quarter of 2018, during an internal review we preliminarily determined that certain of our pricing practices may have resulted in the Government being overcharged under the Price Reduction Clauses of the GSA Contracts (the GSA Matter ). As a result, we performed remediation efforts, including but not limited to, the identification of additional controls and procedures to ensure future compliance with the pricing and other requirements of the GSA Contracts. We also retained outside legal counsel and 25 Table of Contents forensic accountants to assist with these efforts and to conduct a comprehensive review of our pricing and other practices under the GSA Contracts. On February 14, 2019, we reported the GSA Matter to the GSA and its Office of Inspector General. Effective as of February 25, 2021, as a result of the review, we entered into a settlement agreement with the GSA. Pursuant to the settlement agreement, we agreed to, among other things, pay to the GSA $12.3 million in full and final satisfaction of any and all claims, causes of actions, appeals and the like, including damages, costs, attorney’s fees and interest arising under or related to the GSA Matter and we no longer have any outstanding liability related to this matter. For sales to the Government since 2022, we have sold our products and related services through approved distributors. We chose to make this change in our sales strategy to simplify operations and mitigate compliance risk. The Government, as well as state and local governments, can typically terminate or modify their contracts with our distributors either at their discretion or if these distributors default by failing to perform under the terms of their applicable contract, which could impede our ability to compete in the future for contracts and orders. Any failure to comply with the Foreign Corrupt Practices Act or similar anti-corruption, anti-bribery or anti-money-laundering laws could subject us to fines and penalties. We utilize third parties to sell our products and services and conduct our business abroad. We and our third-party intermediaries may have direct or indirect interactions with officials and employees of government agencies or state-owned or affiliated entities, and, in certain circumstances, we could be held liable for any corrupt or other illegal activities of these third-party business partners and intermediaries, our team members, representatives, contractors, partners and agents, even if we do not authorize such activities. We have policies and controls that are designed to mitigate the risks of non-compliance by our employees and agents, therefore we cannot be assured that all of our team members and agents will comply at all times with our policies and applicable law, for which we may be ultimately held responsible. As we increase our international sales and business, or if we increase our reliance on third parties abroad, our risks under these laws may increase. For example, in 2012, our monitorship expired pursuant to our settlement with the SEC and the United States Department of Justice ( DOJ ), concerning certain payments made by our subsidiary in China that may have violated the FCPA and other applicable laws. We are, of course, still subject to such laws . However, in light of our prior conduct, any future failure, or alleged failure, to comply with any such continuing obligations could result in the SEC and the DOJ aggressively seeking to impose penalties against us. In addition, many countries in which we operate have increased regulation regarding anti-corruption practices generally. Compliance with such regulations could be costly and could adversely impact our results of operations or delay entry into new markets. Our failure to comply with trade compliance and economic sanctions laws and regulations of the United States and applicable international jurisdictions could materially adversely affect our reputation and results of operations. Our business must be conducted in compliance with applicable economic and trade sanctions and export control laws and regulations, such as those administered and enforced by the U.S. Department of Treasury s Office of Foreign Assets Control, the U.S. Department of State, the U.S. Department of Commerce, the United Nations Security Council and other relevant sanctions authorities. Such laws and regulations prohibit or restrict certain operations, investment decisions and sales activities, including dealings with certain countries or territories, and with certain governments and designated persons. Our global operations expose us to the risk of violating, or being accused of violating, economic and trade sanctions and export control laws and regulations. In addition, our employees, representatives or distributors may engage in conduct for which we might be held responsible. Our failure to comply with these laws and regulations may expose us to reputational harm as well as significant penalties, including criminal fines, imprisonment, civil fines, disgorgement of profits, injunctions and debarment from government contracts, as well as other remedial measures. Investigations of alleged violations can be expensive and disruptive. Despite our compliance efforts and activities, we cannot assure compliance by our employees, distributors or representatives for which we may be held responsible, and any such violation could materially adversely affect our reputation, business, financial condition and results of operations. Risks Related to Intellectual Property Any failure to protect our patents and proprietary rights in the United States and foreign countries could adversely affect our revenues. Our success depends, in large part, on our ability to obtain and maintain patents and other proprietary rights protection for our processes and products in the United States and other countries. We also rely upon trade secrets, technical know-how and continuing inventions to maintain our competitive position. We seek to protect our technology and trade secrets, in part, by confidentiality agreements with our employees and contractors. However, our employees may breach these agreements, or our trade secrets may otherwise become known or be independently discovered by inventors. If we are unable to obtain or maintain protection of our patents, trade secrets and other proprietary rights, we may not be able to prevent third parties from using our proprietary rights, which could have a material adverse effect on our results of operations. In addition, despite our efforts to protect our patents and other proprietary rights, unauthorized parties may attempt to copy aspects of our products or to obtain and use information that we regard as proprietary. Policing unauthorized use of our products is difficult, particularly in foreign countries, and we may be unable to determine the extent, if any, to which unauthorized uses of our products exist. In addition, the laws of some foreign countries do not protect our proprietary rights to the same extent as the laws of the United States. 26 Table of Contents Our patent protection involves complex legal and technical questions. Our patents may be challenged, narrowed, invalidated or circumvented. Further, we may be able to protect our proprietary rights from infringement by third parties only to the extent that our proprietary processes and products are covered by valid and enforceable patents or are effectively maintained as trade secrets. Furthermore, others may independently develop similar or alternative technologies or design around our patented technologies. Litigation or other proceedings to defend or enforce our intellectual property rights could require us to spend significant time and money, which could have an adverse impact on our financial condition. Claims from others that we infringed on their intellectual property rights may adversely affect our business and financial condition. From time to time, we receive notices from others claiming that we infringed on their intellectual property rights. Resolving these claims may require us to enter into royalty or licensing agreements on unfavorable terms, require us to stop selling or to redesign affected products, or require us to pay damages. In addition, from time to time, we are involved in intellectual property lawsuits. We could, in the future, incur judgments or enter into settlements of lawsuits and claims that could have a material adverse effect on our financial condition. Any litigation or interference proceedings, regardless of their outcome, may be costly and may require significant time and attention of our management and technical personnel. Risks Related To Reliance On Third Parties Our dependence on suppliers for materials could impair our ability to manufacture our products. Outside vendors provide key components, such as electronic components and semiconductors, used in the manufacture of our products. Any supply interruption in a limited source component would hinder our ability to manufacture our products until a new source of supply is identified. In addition, an uncorrected defect or supplier s variation in a component, either known or unknown, or incompatibility with our manufacturing processes, could hinder our ability to manufacture our products. We may not be able to find a sufficient alternative supplier in a reasonable period of time, or on commercially reasonable terms, if at all. If we fail to obtain a supplier for the manufacture of components of our products, we may experience delays or interruptions in our operations, which would adversely affect our business, results of operations and financial condition. World geopolitical conflict, including the Russia Ukraine conflict, has created a humanitarian crisis, materially impacted economic activities, and may materially impact our global and regional operations. The global economy has been negatively impacted by the military conflict between Russia and Ukraine. Governments including the U.S., United Kingdom, and those of the European Union have imposed export controls on certain products and financial and economic sanctions on certain industry sectors and parties in Russia which has triggered retaliatory sanctions by the Russian government and its allies. The outcome and future impacts of the conflict remain highly uncertain, continue to evolve and may grow more severe the longer the military action and sanctions remain in effect. Risks associated with the Russian-Ukrainian conflict, as well as other world geopolitical conflicts that have arisen or could arise in the future, include, but are not limited to, adverse effects on political developments and on general economic conditions, including inflation and consumer spending; disruptions to our supply chains; disruptions to our information systems, including through network failures, malicious or disruptive software, or cyberattacks; trade disruptions; energy shortages or rationing that may adversely impact our manufacturing facilities and consumer spending, particularly in Europe; rising fuel and/or rising costs of producing, procuring and shipping our products; our exposure to foreign currency exchange rate fluctuations; and constraints, volatility or disruption in the financial markets. 27 Table of Contents ITEM 1B. UNRESOLVED STAFF COMMENTS None. ITEM 1C. CYBERSECURITY The Company s Board of Directors (the Board ) recognizes the critical importance of maintaining the trust and confidence of our customers, clients, business partners and employees. The Board is involved in the oversight of the Company s risk management program, and cybersecurity represents an important component of the Company s overall approach to enterprise risk management. The Company s cybersecurity policies, standards, processes, and practices are being integrated into the Company s enterprise risk management program and are based on recognized frameworks and other applicable industry standards. In general, the Company seeks to address cybersecurity risks through a comprehensive, cross-functional approach that is focused on preserving the confidentiality, security and availability of the information that the Company collects and stores by identifying, preventing and mitigating cybersecurity threats and effectively responding to cybersecurity incidents when they occur. Risk Management and Strategy As part of our overall enterprise risk management approach, the Company s cybersecurity program framework is focused on the following key areas: Governance : As discussed in more detail under the heading Governance below, the Board receives presentations and interacts with management on cybersecurity readiness. Collaborative Approach : The Company has implemented a comprehensive, cross-functional approach to identifying, preventing and mitigating cybersecurity threats and incidents, while also implementing controls and procedures that provide for the prompt escalation of certain cybersecurity incidents so that decisions regarding the public disclosure and reporting of such incidents can be made by management in a timely manner. Technical Safeguards : The Company deploys technical safeguards that are designed to protect the Company s information systems from cybersecurity threats, including firewalls, intrusion prevention and detection systems, anti-malware functionality and access controls, which are evaluated and improved through vulnerability assessments and cybersecurity threat intelligence. We also utilize a managed security provider (the Security Provider ) to identify and assess vulnerabilities. Our Security Provider monitors our network, does vulnerability scanning, provides event logging services, and raises potential and actual threats with the Company s security operations center when appropriate. Incident Response Plan : The Company has established and maintains an incident response plan that governs the Company s response to a cybersecurity incident, and such plan is evaluated on a regular basis. Potentially material cybersecurity risks and incidents are escalated to management and the Board as applicable. Third-Party Risk Management : The Company maintains a risk-based approach to identifying and overseeing cybersecurity risks presented by third parties, including vendors, service providers and other external users of the Company s systems, as well as the systems of third parties that could adversely impact our business in the event of a cybersecurity incident affecting those third-party systems. Education and Awareness : The Company provides regular, mandatory training for personnel regarding cybersecurity threats as a means to equip the Company s personnel with effective tools to address cybersecurity threats, and to communicate the Company s evolving information security policies, standards, processes and practices. The Company engages in the periodic assessment and testing of the Company s policies, standards, processes and practices that are designed to address cybersecurity threats and incidents. These efforts include a wide range of activities, including audits, assessments, tabletop exercises, vulnerability testing and other exercises focused on evaluating the effectiveness of our cybersecurity measures and planning. On occasion, the Company engages third parties to perform assessments on our cybersecurity measures, including information security maturity assessments, audits and independent reviews of our information security control environment and operating effectiveness. The results of such assessments, audits and reviews are reported to the Board and Audit Committee, and the Company adjusts its cybersecurity policies, standards, processes and practices as necessary based on the information provided by these assessments, audits and reviews. 28 Table of Contents Governance Our Board and Audit Committee oversee the Company s cybersecurity risk management. Management presents to, and discusses with, the Board the security of our systems and applications. Our Chief Digital Officer and our Information Security Director (“CDO”), provide strategic and technical leadership for the Company s cybersecurity program and lead teams across the Company that support the cybersecurity functions. Our CDO has 30 years of experience in IT, including being accountable for IT compliance and security, and previously served as Chief Information Officer for a publicly traded company for 5 years. Our Information Security Director has nearly 30 years of experience in software development and IT, and, for 17 of those years, was responsible for security, compliance and privacy. These executives regularly report to the Chief Executive Officer and Chief Financial Officer with regards to our cybersecurity program and readiness. Although we experience cybersecurity incidents from time to time as part of operations, these incidents have not had, and are not reasonably likely to have, a material impact on our business strategy, results of operations or financial condition. Any breach of our security measures, or those of our third-party service providers, could result in unauthorized access to and misappropriation of our information, corruption of data or disruption of systems, operations or transactions, any of which could have a material adverse effect on our business strategy, results of operations or financial condition. See Risk Factors on page 24 of thi s Form 10-K for further discussion of the risks related to cybersecurity threats.
ITEM 1C. CYBERSECURITY The Company s Board of Directors (the Board ) recognizes the critical importance of maintaining the trust and confidence of our customers, clients, business partners and employees. The Board is involved in the oversight of the Company s risk management program, and cybersecurity represents an important component of the Company s overall approach to enterprise risk management. The Company s cybersecurity policies, standards, processes, and practices are being integrated into the Company s enterprise risk management program and are based on recognized frameworks and other applicable industry standards. In general, the Company seeks to address cybersecurity risks through a comprehensive, cross-functional approach that is focused on preserving the confidentiality, security and availability of the information that the Company collects and stores by identifying, preventing and mitigating cybersecurity threats and effectively responding to cybersecurity incidents when they occur. Risk Management and Strategy As part of our overall enterprise risk management approach, the Company s cybersecurity program framework is focused on the following key areas: Governance : As discussed in more detail under the heading Governance below, the Board receives presentations and interacts with management on cybersecurity readiness. Collaborative Approach : The Company has implemented a comprehensive, cross-functional approach to identifying, preventing and mitigating cybersecurity threats and incidents, while also implementing controls and procedures that provide for the prompt escalation of certain cybersecurity incidents so that decisions regarding the public disclosure and reporting of such incidents can be made by management in a timely manner. Technical Safeguards : The Company deploys technical safeguards that are designed to protect the Company s information systems from cybersecurity threats, including firewalls, intrusion prevention and detection systems, anti-malware functionality and access controls, which are evaluated and improved through vulnerability assessments and cybersecurity threat intelligence. We also utilize a managed security provider (the Security Provider ) to identify and assess vulnerabilities. Our Security Provider monitors our network, does vulnerability scanning, provides event logging services, and raises potential and actual threats with the Company s security operations center when appropriate. Incident Response Plan : The Company has established and maintains an incident response plan that governs the Company s response to a cybersecurity incident, and such plan is evaluated on a regular basis. Potentially material cybersecurity risks and incidents are escalated to management and the Board as applicable. Third-Party Risk Management : The Company maintains a risk-based approach to identifying and overseeing cybersecurity risks presented by third parties, including vendors, service providers and other external users of the Company s systems, as well as the systems of third parties that could adversely impact our business in the event of a cybersecurity incident affecting those third-party systems. Education and Awareness : The Company provides regular, mandatory training for personnel regarding cybersecurity threats as a means to equip the Company s personnel with effective tools to address cybersecurity threats, and to communicate the Company s evolving information security policies, standards, processes and practices. The Company engages in the periodic assessment and testing of the Company s policies, standards, processes and practices that are designed to address cybersecurity threats and incidents. These efforts include a wide range of activities, including audits, assessments, tabletop exercises, vulnerability testing and other exercises focused on evaluating the effectiveness of our cybersecurity measures and planning. On occasion, the Company engages third parties to perform assessments on our cybersecurity measures, including information security maturity assessments, audits and independent reviews of our information security control environment and operating effectiveness. The results of such assessments, audits and reviews are reported to the Board and Audit Committee, and the Company adjusts its cybersecurity policies, standards, processes and practices as necessary based on the information provided by these assessments, audits and reviews. 28 Table of Contents Governance Our Board and Audit Committee oversee the Company s cybersecurity risk management. Management presents to, and discusses with, the Board the security of our systems and applications. Our Chief Digital Officer and our Information Security Director (“CDO”), provide strategic and technical leadership for the Company s cybersecurity program and lead teams across the Company that support the cybersecurity functions. Our CDO has 30 years of experience in IT, including being accountable for IT compliance and security, and previously served as Chief Information Officer for a publicly traded company for 5 years. Our Information Security Director has nearly 30 years of experience in software development and IT, and, for 17 of those years, was responsible for security, compliance and privacy. These executives regularly report to the Chief Executive Officer and Chief Financial Officer with regards to our cybersecurity program and readiness. Although we experience cybersecurity incidents from time to time as part of operations, these incidents have not had, and are not reasonably likely to have, a material impact on our business strategy, results of operations or financial condition. Any breach of our security measures, or those of our third-party service providers, could result in unauthorized access to and misappropriation of our information, corruption of data or disruption of systems, operations or transactions, any of which could have a material adverse effect on our business strategy, results of operations or financial condition. See Risk Factors on page 24 of thi s Form 10-K for further discussion of the risks related to cybersecurity threats.
Company Information
| Name | FARO TECHNOLOGIES INC |
| CIK | 0000917491 |
| SIC Description | Measuring & Controlling Devices, NEC |
| Ticker | FARO - Nasdaq |
| Website | |
| Category | Accelerated filer |
| Fiscal Year End | December 30 |