MERIT MEDICAL SYSTEMS INC 10-K Cybersecurity GRC - 2024-02-28

Page last updated on April 11, 2024

MERIT MEDICAL SYSTEMS INC reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-02-28 17:07:48 EST.

Filings

10-K filed on 2024-02-28

MERIT MEDICAL SYSTEMS INC filed an 10-K at 2024-02-28 17:07:48 EST
Accession Number: 0000856982-24-000015

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity. We maintain strong cybersecurity systems to guard against unauthorized access, malicious software, corruption of data, disruption of our networks and systems and unauthorized release of confidential information. We employ an experienced and dedicated information security team, strive to follow industry best practices, and work with our employees globally to create awareness and mitigate cyber risk. On an ongoing basis, we assess risks (including our exposure from significant information technology suppliers, significant software as a service providers and major vendors with access to our information technology systems) and implement procedures and practices designed to improve the security, confidentiality, integrity and availability of our systems. We voluntarily engage third-party security auditors to test our systems and controls at least annually against the most widely recognized security standards and regulations. We have developed and continue to implement a continuing cyber awareness training program which is designed to increase awareness of cybersecurity threats throughout our company and reduce the risk of human error. We conduct periodic phishing testing on all our employees with e-mail access and emphasize information security in training events and programs we host throughout the year. We have established controls and procedures to escalate enterprise-level issues, including cybersecurity matters, to the appropriate management levels within our organization and our Board of Directors, or members or committees thereof, as appropriate. Our Board of Directors provides oversight of our enterprise risk management, including our approach to managing cybersecurity risk, and has delegated responsibility for review of information security risks to its Audit Committee. The Audit Committee regularly reviews information security risks and receives reports from our Chief Information Officer and other members of the Company s management regarding those risks. Our cybersecurity program is managed by a dedicated Chief Information Officer whose global team, including the Director, Information Security, is responsible for leading enterprise-wide cybersecurity strategy, policy, standards, architecture and processes. Our Chief Information Officer has over 28 years of relevant industry experience, including 17 years with Merit. Our Director, Information Security, functions as our senior information security officer and has over 17 years of relevant industry experience. Further, team members who support our cybersecurity program have relevant educational and industry experience through various roles involving information technology, security, auditing, compliance, systems and programming, as well as cybersecurity certifications such as Certified Information Systems Security Professional. Under our framework, cybersecurity issues are analyzed by subject matter experts for potential financial, operational, and reputational risks, based on, among other factors, the nature of the matter and breadth of impact. Matters determined to present potential material impacts to the Company s financial results, operations, and/or reputation are immediately reported by management to our Board of Directors or the Audit Committee, as appropriate, in accordance with our escalation framework. In addition, we have established procedures to ensure that management responsible for overseeing the effectiveness of disclosure controls is informed in a timely manner of known cybersecurity risks and incidents that may materially impact our operations and that timely public disclosure is made as appropriate. We maintain cyber insurance coverage that may, subject to policy terms, conditions and limitations, cover certain aspects of cybersecurity risks; however, such insurance coverage may be unavailable or insufficient to cover all losses or all types of claims that may arise in the continually evolving area of cyber risk. During the last three years, we have not experienced a material security breach and, as a result, we have not incurred any material expenses from such a breach. Furthermore, during such time, we have not been penalized or paid any amount under any information security breach settlement. 35 Table of Contents

Company Information