Bioventus Inc. 10-K Cybersecurity GRC - 2024-03-12

Page last updated on April 11, 2024

Bioventus Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-03-12 07:51:59 EDT.

Filings

10-K filed on 2024-03-12

Bioventus Inc. filed an 10-K at 2024-03-12 07:51:59 EDT
Accession Number: 0001628280-24-010376

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity. Risk Management and Strategy Bioventus maintains a cybersecurity risk management program that is designed to enable us to assess, identify, and manage risk associated with cybersecurity threats (the Cybersecurity Program ). Our Cybersecurity Program is based on standards promulgated by the National Institute of Standards and Technology ( NIST ) and the United States Cybersecurity and Infrastructure Security Agency ( CISA ) and includes the following elements: Identification and assessment of cybersecurity threats based on periodic internal and external assessments and monitoring, information from internal stakeholders, and external publications and resources such as those made available by CISA. Technical and organizational safeguards designed to protect against identified threats, including documented policies and procedures, technical controls, and employee education and awareness. Processes designed to detect the occurrence of cybersecurity events and to respond to and recover from cybersecurity incidents. A third-party risk management process designed to manage cybersecurity risks associated with our service providers, suppliers, and vendors. Our Cybersecurity Program is regularly evaluated by internal and external experts with the results of those reviews reported to senior management and the Audit and Risk Committee of the Board of Directors. We also actively engage with key vendors, industry participants and threat intelligence communities as part of our continuing efforts to evaluate and enhance the effectiveness of the Cybersecurity Program. Integration of Risk Management Process Assessing, identifying, and managing cybersecurity-related risks is integrated into our overall risk management framework. The Cybersecurity Program is integrated into our enterprise risk management program and framework. These programs are designed to foster a company-wide culture of appropriate cybersecurity risk management. Our IT Security team works closely with stakeholders across technology, legal, risk, and business operations to implement and monitor the effectiveness of the Cybersecurity Program. Engagement of Third Parties in Connection with Risk Management The Company engages a range of external experts to assist in its assessment, identification, and management of risks from cybersecurity threats. These include cybersecurity consultants and external auditors to review the Company s cybersecurity posture and responsive efforts. Our relationships with these external partners enable us to leverage their expertise with the goal of maintaining best practices. Oversight of Third-Party Risks Our third-party service providers, suppliers, and vendors face their own risks from cybersecurity threats that could impact Bioventus in certain circumstances. We have implemented processes for overseeing and managing these risks. Those processes include assessing the third parties information security practices before allowing them to access our information systems or data, requiring the third parties to implement appropriate cybersecurity controls and otherwise agree to contractual requirements designed to address cybersecurity risks in our agreements with them, and conducting ongoing monitoring of their compliance with those requirements. 66 Table of Contents Risks from Cybersecurity Threats As of the date of this Annual Report, we have not encountered any risks from cybersecurity threats that have materially affected or are reasonably likely to materially affect the Company, including its business strategy, results of operations, or financial condition. However, a third-party vendor recently informed us that Change Healthcare, a subsidiary of UnitedHealth Group that acts as an intermediary for processing certain of our claims for reimbursement related to our Exogen device to commercial payers experienced an incident in which a cybersecurity threat actor gained access to some of its information technology systems. As a result of the Change Healthcare incident, certain of our patient billing and collections processes have been disrupted. While we have identified an alternative claim processing intermediary and have resumed claims submissions to some payers, this event may cause delays in a portion of our claims submissions to some commercial payers thereby delaying the related cash remittances to us. As of the date of this Annual Report, UnitedHealth Group is still investigating this incident, including any potential impact on claims and patient data. On March 7, 2024, UnitedHealth Group issued a statement indicating that it expects to begin testing and reestablish connectivity to the effected claims network to restore service beginning March 18, 2024. We do not presently believe that the Change Healthcare incident has materially affected, or is reasonably likely to materially affect the Company, including with respect to our claims collection and cash flows. We continue to evaluate the impact of the Change Health incident on our Company. Governance The oversight of Bioventus Cybersecurity Program falls under the purview of the Company s Director of IT Security, Risk and Compliance, who has over 25 years of combined technical and leadership experience, with the past 18 years focused on information security and technology risk management, and holds Certified Information Systems Security Professional (CISSP) and Certified Information Security Manager (CISM) certifications. The Audit and Risk Committee of the Board of Directors is primarily responsible for the oversight of risks from cybersecurity threats, and is regularly briefed on the Company s Cybersecurity Program by the Vice President of Information Technology and/or Director of IT Security, Risk and Compliance. These briefs include updates on the Company s cyber risks and threats, the status of projects to strengthen our information security systems, assessments of the information security program, and the emerging cybersecurity threat landscape. The Director of IT Security, Risk and Compliance implements and oversees our processes for regularly monitoring our information systems and detecting and reporting cybersecurity incidents. That process includes convening an incident response team composed of the Director of IT Security, Risk and Compliance, Vice President of Information Technology, Chief Compliance Officer, and General Counsel. The incident response team is responsible for overseeing the assessment of and response to any cybersecurity incident and for monitoring the Company s mitigation and remediation efforts. The incident response team is also responsible for informing executive management, the Audit and Risk Committee and, where appropriate, the Board of Directors, regarding the detection, mitigation, and remediation of cybersecurity incidents.

Company Information