Axogen, Inc. 10-K Cybersecurity GRC - 2026-02-24

Page last updated on February 24, 2026

Axogen, Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2026-02-24 16:24:04 EST.

Filings

10-K filed on 2026-02-24

Axogen, Inc. filed a 10-K at 2026-02-24 16:24:04 EST
Accession Number: 0000805928-26-000031

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBERSECURITY Cybersecurity represents an important component of our overall approach to risk management. Our cybersecurity policies, standards and practices are integrated into our enterprise risk management approach, and cybersecurity risks are one of the enterprise risks that are subject to oversight by our Board. Our cybersecurity standards and practices follow industry trends, which align with frameworks established by the Center for Internet Security. We approach cybersecurity threats through a cross-functional strategy which endeavors to: (i) identify, prevent and mitigate cybersecurity threats to us; (ii) preserve the confidentiality, security and availability of the information that we collect and store to use in our business; (iii) protect our IP; (iv) maintain the confidence of our customers, clients and business partners; and (v) provide appropriate public disclosure of cybersecurity risks and incidents when required. Risk Management and Strategy Our cybersecurity program focuses on the following areas: a. Vigilance: We maintain cybersecurity threat operations with the goal of identifying, preventing and mitigating cybersecurity threats and responding to cybersecurity incidents in accordance with our established incident response and recovery plans. b. Systems Safeguards: We deploy system safeguards that are designed to protect our information systems from cybersecurity threats, including firewalls, intrusion prevention and detection systems, anti-malware functionality and access controls, which are evaluated and improved through ongoing vulnerability assessments and cybersecurity threat intelligence. c. Collaboration: We utilize collaboration mechanisms established with public and private entities, including intelligence and enforcement agencies, industry groups and third-party service providers, to identify, assess and respond to cybersecurity risks. d. Third-Party Risk Management : We endeavor to identify and oversee cybersecurity risks presented by third parties, as well as the systems of third parties that could adversely impact our business in the event of a cybersecurity incident affecting those third-party systems. e. Training: We provide periodic training for personnel regarding cybersecurity threats, which reinforces our information security policies, standards and practices. f. Incident Response and Recovery Planning: We have established and maintain incident response and recovery plans that address our response to a cybersecurity incident and the recovery from a cybersecurity incident, and such plans are tested and evaluated periodically. Axogen, Inc. g. Communication, Coordination and Disclosure: We utilize a cross-functional strategy to address the risk from cybersecurity threats, involving management personnel from our technology, operations, legal, risk management and other key business functions, as well as the members of the Board and the Audit Committee of the Board in an ongoing dialogue regarding cybersecurity threats and incidents, while also implementing controls and procedures for the escalation of cybersecurity incidents pursuant to established thresholds so that decisions regarding the disclosure and reporting of such incidents can be made by management in a timely manner. h. Governance: The Board's oversight over the effectiveness of our cybersecurity risk management is supported by the Audit Committee, which regularly interacts with our Vice President of Information Technology and other members of the cyber team and management. We manage risks from cybersecurity threats through the assessment and testing of our processes and practices focused on evaluating the effectiveness of our cybersecurity measures. We engage third parties as appropriate to perform assessments of our cybersecurity measures. The results of such assessments and reviews are reported to the Audit Committee and the Board, and we adjust our cybersecurity policies, standards, processes and practices as necessary based on the information provided by the assessments, audits and reviews. Governance The Board, in coordination with the Audit Committee, oversees the effectiveness of management of risks from cybersecurity threats, including the policies, standards, processes and practices that our management implements to address risks from cybersecurity threats. The Board and the Audit Committee each receive regular presentations and reports on cybersecurity risks, which address a wide range of topics including, for example, recent developments, evolving standards, vulnerability assessments, third-party reviews, the threat environment, technological trends and information security considerations arising with respect to our peers. The Board and the Audit Committee also receive prompt and timely information regarding any cybersecurity incident that meets established reporting thresholds, as well as ongoing updates regarding such incident until it has been addressed. On a regular basis, the Board and the Audit Committee discuss our approach to cybersecurity risk management with our cyber team and senior leadership team. Our Vice President of Information Technology is the member of our management team that is principally responsible for overseeing our cybersecurity risk management program, in partnership with other business leaders across the Company. The Vice President of Information Technology works in coordination with senior leadership, which includes our Chief Executive Officer, Chief Financial Officer, and General Counsel. Our Vice President of Information Technology has served in various roles in information technology and information security for over 20 years across a number of public and private organizations including Ernst & Young, Sherwin-Williams, Eaton, TriMas Corporation and Evergen (formerly RTI Surgical). The Vice President of Information Technology holds a bachelor's degree in management, information systems and accounting from Case Western Reserve University. Our Vice President of Information Technology in coordination with senior leadership, works collaboratively across the Company to implement a program designed to protect our information systems from cybersecurity threats and to promptly respond to any cybersecurity incidents. To facilitate the success of this program, multidisciplinary teams throughout the Company are deployed to address cybersecurity threats and to respond to cybersecurity incidents in accordance with our policy as it relates to the incident, management response and recovery plan. Through the ongoing communications from these teams, the Vice President of Information Technology and senior leadership monitor the prevention, detection, mitigation and remediation of cybersecurity incidents in real time, and report such incidents to the Audit Committee when appropriate. Cybersecurity threats, resulting from any previous cybersecurity incidents, have not materially affected or are not reasonably likely to affect us, including our business strategy, results of operations, or financial condition. Axogen, Inc.

Company Information