OSI SYSTEMS INC 10-K Cybersecurity GRC - 2025-08-25

Page last updated on August 25, 2025

OSI SYSTEMS INC reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-08-25 09:01:23 EDT.

Filings

10-K filed on 2025-08-25

OSI SYSTEMS INC filed a 10-K at 2025-08-25 09:01:23 EDT
Accession Number: 0001410578-25-001887

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBERSECURITY Risk Management and Strategy We maintain high standards with respect to cybersecurity and our cybersecurity risk management program is integrated into our enterprise risk management framework, overseen by our Information Security Officer (“ISO”), meaning that cyber-risks are identified, evaluated, and managed with the same rigor as other strategic, operational, and financial risks. We have adopted the National Institute of Standards and Technology (NIST) Cybersecurity Framework principles as a guide for our security controls and processes, helping us structure our activities around identifying potential threats, protecting systems, detecting incidents, responding to events, and recovering operations. We engage independent third-party cybersecurity auditors and testers annually to review our Information Security Management (ISMS) and renew our ISO/IEC 27001 certification. Key elements of our program include: ● Preventive Controls and Monitoring : We employ multiple layers of technical controls (firewalls, intrusion detection systems, encryption, and multi-factor authentication) to proactively monitor IT controls to ensure compliance with security policies, legal regulations, contractual obligations and industry best practices. Our Global Security Operations Center operates 24/7 with real-time monitoring capabilities to rapidly investigate alerts and trigger containment measures, which helps us minimize exposure or damage if a cybersecurity incident occurs. ● Vulnerability Management and Testing : We conduct regular vulnerability assessments and annual external penetration testing of our systems and applications to probe for weaknesses. We also perform periodic exercises simulating cybersecurity incidents to test our defenses and response procedures. Findings from these tests are used to strengthen our security posture on an ongoing basis. ● Incident Response Planning : We maintain a cybersecurity incident response plan that defines procedures for addressing security events. This plan is updated and tested regularly (including through tabletop drills and simulated breach exercises) so that our teams remain practiced in incident handling. In the event of an incident, our aim is to respond swiftly to contain the issue, notify appropriate stakeholders, investigate the root cause, and recover normal operations as soon as practicable. ● Third-Party Risk Management : We carefully manage cybersecurity risks arising from our use of third-party software, cloud services, and suppliers. We perform due diligence and security risk assessments on critical third-party service providers, both at onboarding and periodically during the relationship. Our procurement and legal teams work together to incorporate robust cybersecurity requirements into contracts with vendors (for example, data protection standards and incident notification obligations). Where appropriate, we require suppliers to adhere to our security policies or industry standards, and we conduct ongoing monitoring or audits of their security controls. These steps help reduce the risk that a weakness in a partner’s systems could compromise our data or operations. ● Employee Training and Awareness : A strong security culture among our employees is one of our best defenses in relation to cybersecurity events. Our employees are required to complete annual cybersecurity and data protection awareness training. This training educates personnel on topics like phishing prevention, safe computing practices, and how to report potential security issues. We supplement formal training with periodic phishing email simulations and security reminders. Through a combination of these technical, procedural, and educational measures, our program is designed to detect and respond to cybersecurity threats effectively and thereby safeguard our business operations and sensitive information. Cybersecurity threats are endemic to the modern business environment, and attempts to penetrate our network security are frequent and on-going. However, to date, no cybersecurity threats (including incidents) have resulted in a material impact on our business strategy, results of operations, or financial condition . Despite our efforts to identify and respond to cybersecurity threats, we cannot eliminate all risks from cybersecurity threats or provide assurances that we have not experienced an undetected cybersecurity incident, that we will not experience a cybersecurity incident in the future, or that a past cybersecurity incident will not result in a future material impact. For additional information on cybersecurity related risks, see “Item 1A. Risk Factors” of this Annual Report on Form 10-K. Governance and Oversight We have established strong governance practices to oversee cybersecurity and IT risks. The Board of Directors has delegated primary oversight responsibility for cybersecurity to the Risk Management Committee (RMC) of the Board , which is composed of several Board members. Our Chief Information Officer (CIO) and Information Security Officer (ISO) receive security reports and threat intelligence from the Security Operations Center, which apprises the CIO and ISO of any potential incidents and the status of ongoing preventive measures and they share this information at least quarterly with the RMC. They also brief the full Board as needed on cybersecurity matters. We have a multi-disciplinary Cybersecurity Council that connects our Information Security, IT, Corporate Audit, Finance, Legal, Compliance, and Investor Relations teams. This Council facilitates coordination of cybersecurity risk management across our organization and a unified response to incidents. In the event of a cybersecurity incident, the ISO will lead our incident response efforts and convene the Cybersecurity Council to evaluate the situation and determine appropriate next steps (for example, engaging law enforcement or cyber-experts, and considering disclosure obligations). This integrated governance structure - from the operational teams up through senior management and the Board - helps drive accountability and visibility for cybersecurity throughout our organization. Our leadership team includes seasoned professionals with deep expertise in technology and security. Our CIO, Todd Weathersby, has more than 25 years of experience in global IT and cybersecurity management, and our ISO has more than 25 years of experience in cybersecurity, risk, and compliance (with certifications such as CISSP and CISM). The knowledge and experience of our CIO and ISO, along with the Board’s active engagement, provides a strong oversight of our cybersecurity strategy. The Board and management also receive regular briefings and training sessions regarding emerging cybersecurity threats and regulatory developments in order to be positioned to adapt to new challenges in the cybersecurity landscape.

Company Information