CONMED Corp 10-K Cybersecurity GRC - 2026-02-17

Page last updated on February 17, 2026

CONMED Corp reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2026-02-17 11:01:33 EST.

Filings

10-K filed on 2026-02-17

CONMED Corp filed a 10-K at 2026-02-17 11:01:33 EST
Accession Number: 0000816956-26-000009

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity We take an active role in ensuring the confidentiality, integrity, and availability of data, systems, processes, applications, and products. We are diligent when it comes to safeguarding the data of our strategic partners, employees, existing and future customers, and our teams throughout the globe. We take the protection of proprietary information, intellectual property, and sensitive information seriously, making it our commitment to provide comprehensive prevention, detection, and response capabilities, in order to maintain integrity. We manage cyber risk and assess internal maturity capabilities by leveraging the National Institute of Standards and Technology (NIST) framework and the ISO 27001 framework, in conjunction with the Center for Internet Security (CIS) top 18 risk framework. Internal and external assessments are conducted for best practice benchmarking. CONMED is certified and externally audited to the ISO 27001 framework and the NIST framework. Outputs from these assessments and audits are used to develop strategic priorities, and to develop tactical action plans to continue to mature our cyber posture. CONMED leverages technologies, external consultants and vendors to support our risk management strategies, threat insights, trends, and mitigation approaches. We maintain a third-party information technology vendor risk management program designed to identify, assess, and manage risks associated with external parties that access or support our networks, systems, or digital assets. As part of this program, our IT security personnel evaluate third-party vendors using a structured risk-rating methodology to identify those that may present elevated cybersecurity or operational risks. The program incorporates input from internal commercial and operational teams, as well as our legal and compliance functions. Using an established assessment platform and industry-recognized cybersecurity standards and frameworks, our IT security team conducts risk assessments of vendors determined to pose the greatest potential impact to our systems or data. This process includes working with internal stakeholders responsible for the applicable systems or applications, and with the vendors themselves, to obtain and review information necessary to evaluate associated risks. Where significant risks are identified, we communicate these findings to the vendor and document any required or proposed compensating controls in coordination with that vendor. Internal stakeholders then review the assessment results to evaluate whether the risks identified are appropriate in light of the business value of the relevant product or service. In addition, CONMED has published corporate policies that support our cybersecurity efforts, such as our employee handbook, and has proactively implemented protection measures such as endpoint encryption, endpoint monitoring (EDR), remote access, VPN, and multi-factor authentication. Policies and procedures must go through a controlled review process by senior management to ensure relevant updates are being incorporated in our policies. The Board of Directors oversees management's processes for identifying and mitigating risks, including cybersecurity risks, to help align our risk exposure with our strategic objectives. Our executive management team, inclusive of our Chief Information Officer (CIO), are responsible for managing cybersecurity risk, including assessing cyber maturity and development of short and long-term strategies . Our cybersecurity leader has extensive leadership and experience within the cybersecurity space. We invest in the growth and development of our security team's expertise through hands-on training, technical industry certifications and security domain specific conferences. Security is approached as a unified company strategy, where everyone in the organization plays a key role in the success of our programs. Through required phishing training and awareness campaigns, policy and procedures training, and periodic multi-level tabletop exercise scenarios, we continue to improve identification, reporting, response, recovery, and prevention of threats. We engage in penetration testing, provided by external entities to ensure our internal processes and controls are validated. 23 We continue to invest in IT Security to improve technical capabilities, streamline response effectiveness, and harden preventive, detection, and response measures, while growing the core security organization to support business growth efforts. We build our security program with the intent of a global reach and a global customer base at the forefront of our minds. Cybersecurity risk factors are evaluated, prioritized, and connected to annual strategic priorities. Strategic priorities are comprised of critical cybersecurity efforts in an ongoing effort to mitigate internal or external risks factors, and drive maturity objectives. We have developed and continue to develop strategic and tactical cyber capabilities to provide a modern approach to protecting the partnerships we have built our business around. This is, and will continue to be, an ongoing effort to provide and implement cyber best practices. Our Audit Committee is briefed semi-annually by our management team to provide awareness around IT environmental risk factors, cyber posture, global threat landscape, and changing regulatory requirements. Decisions are then made based on all assessed risk factors, including cyber maturity growth, strategic personnel, and appropriate cyber capability. All critical response activities are assessed and communicated from executive management to the Audit Committee which then reports to the Board of Directors. During the fiscal year ended December 31, 2025 and through the date of the filing of this Form 10-K, we have not identified any specific risks from cybersecurity threats that have materially affected, or are reasonably likely to affect, our business strategy, results of operations, or financial condition. The risk factors related to cybersecurity threats identified to be reasonably likely to affect, our business strategy, results of operations, or financial condition are included in "Item 1A. Risk Factors - Other Risks Related to Our Business".

Company Information