BIO-TECHNE Corp 10-K Cybersecurity GRC - 2025-08-22

Page last updated on August 22, 2025

BIO-TECHNE Corp reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-08-22 06:31:16 EDT.

Filings

10-K filed on 2025-08-22

BIO-TECHNE Corp filed a 10-K at 2025-08-22 06:31:16 EDT
Accession Number: 0001558370-25-011716

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBERSECURITY Cybersecurity Governance and Oversight Bio-Techne’s cybersecurity program is led by the Company’s Chief Information Officer (“CIO”), with day-to-day management and administration of our cybersecurity program performed by the Director of IT Infrastructure and Security and the IT Security Operations team. The Director of IT Infrastrcuture and Security reports to the CIO, and the CIO reports to the Chief Financial Officer. The CIO is supported by the Incident Response Team (“IRT”), a multi-disciplinary management committee comprising senior members from the Security Operations Team, legal, finance, internal audit and other functions. The IRT supports the CIO in supporting and reviewing information security risks and in the event of a cybersecurity incident provides leadership with respect to incident response, investigation, mitigation and remediation. In addition to leadership and support within management, we also work with security service providers to monitor for vulnerabilities and threats, and which are reported to the Security Operations team. All employees are trained and tested annually on cybersecurity risks, and we continually perform simulated phishing exercises. We also conduct periodic tabletop exercises for key personnel involved in cybersecurity risk management, including the IRT. Our Board of Directors (“Board”) holds overall oversight responsibility for the Company’s strategy and risk management, including in relation to cybersecurity risks. The Board exercises its oversight function through the Audit Committee , which oversees the management of risk exposure across various areas, including data security risks, in accordance with its charter. In addition, the Audit Committee is specifically responsible for the review and approval of any cybersecurity incident disclosure, as set forth in the Committee’s charter. In the event of a potentially significant cybersecurity incident, the Audit Committee’s charter requires that management promptly communicate and consult with the Audit Committee. Bio-Techne’s General Counsel updates the Audit Committee multiple times per year regarding Bio-Techne’s cybersecurity programs, including regularly-tracked metrics on incident response, internal security testing, and measures implemented to monitor and address cybersecurity risks and threats, as appropriate. The Audit Committee regularly updates the full Board on these matters. In addition, on at least an annual basis, the CIO provides the full Board with a thorough review of the Company’s cybersecurity program, including current status, industry risks and exposure, and future strategy. Based on the information we have as of the date of this Annual Report, we do not believe any risks from cybersecurity threats have materially affected or are reasonably likely to materially affect Bio-Techne, including our business strategy, results of operations or financial condition. However, please see Item 1A. Risk Factors - “A significant disruption in, or breach of security of, our information technology systems or data, or violation of data privacy laws, could result in damage to our reputation, data integrity and/or subject us to costs, fines, or lawsuits under data privacy or other laws or contractual requirements.” Cybersecurity Risk Management and Strategy Bio-Techne’s cybersecurity strategy is to maintain and fortify a secure, actively-monitored environment for our internal and our customers’ data while supporting our and our customers’ business needs. Our cybersecurity program follows industry standards and best practice for preventing, detecting, remediating, and mitigating potential cybersecurity threats, including regular processes to identify, evaluate and manage potential risks . Our IT Security Operations team administers and monitors the prevention, detection, mitigation, and remediation of potential cybersecurity risks. This team leverages both Bio-Techne’s internal IT resources, including its personnel, as well as managed security service providers and other third-party security software and technology services, as well as through other means. We also have implemented processes and technologies for network monitoring and data loss prevention procedures. We conduct periodic risk assessments, including with support from external vendors, to assess our cyber program, identify areas of enhancement, and develop strategies for the mitigation of cyber risks. We also conduct regular security testing and have established a vulnerability management process supported by security testing, for the treatment of identified security risks based on severity, including risks arising from our use of third-party providers software and service providers. In addition to our evolving processes and systems, we foster a culture of cybersecurity education, training, and testing. Every year, employees must take and pass rigorous information security and protection training. We partner with experienced external consultants to assess our cybersecurity program, and to perform penetration testing as well as other testing programs designed to identify vulnerabilities and areas for fortification. Also, as part of our cybersecurity risk management program we maintain cyber insurance, with coverage amounts and terms that are typical and appropriate for a company of our size and type. This insurance may not be sufficient to cover us against all types of claims related to security breaches, cyberattacks and other related breaches.

Company Information