LABCORP HOLDINGS INC. 10-K Cybersecurity GRC - 2026-02-24

Page last updated on February 24, 2026

LABCORP HOLDINGS INC. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2026-02-24 13:51:36 EST.

Filings

10-K filed on 2026-02-24

LABCORP HOLDINGS INC. filed a 10-K at 2026-02-24 13:51:36 EST
Accession Number: 0000920148-26-000111

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. CYBERSECURITY Risk Management and Strategy Protecting the information maintained by the Company about its patients, customers, colleagues, and partners against external and internal threats is a priority for the Company. Accordingly, the Company maintains an enterprise-wide cybersecurity risk management program and invests in cybersecurity policies, control standards, and control procedures, including risk assessment activities, security and event monitoring capabilities, an IR plan, and other detection, prevention, and protection capabilities designed to monitor and mitigate external and insider threats. Through its OIS within the Information Technology organization, the Company engages in a risk-based monitoring and assessment process that analyzes potential business impact of cybersecurity threats to its systems and data, and assesses the effectiveness of the controls in place. The Company has implemented a formal cybersecurity governance program aligned to elements of the NIST Cybersecurity Framework and the SCF. The governance program integrates controls from various regulations, standards, and best practices and supports a structured approach to identifying, protecting against, detecting, responding to, and recovering from cybersecurity threats. The Company's program includes the evaluation of the cybersecurity posture of third-party suppliers and vendors that have access to the Company's data or information technology systems. Consistent with business requirements, components of the Company's information technology enlivenment and control activities are assessed by independent third parties against various frameworks and standards. The Company uses the results of these assessments to inform risk prioritization and remediation planning. With the assistance of these frameworks and standards, the Company assesses risks from cybersecurity threats, monitors its information systems for potential vulnerabilities, assesses those systems pursuant to the Company's cybersecurity policies, control standards, and control procedures, and implements appropriate mitigation measures. Incident Response and Resilience The Company has implemented an IR Plan, which is integrated with the Company's enterprise crisis management, business continuity, and disaster recovery programs. The IR Plan provides a framework for responding to and managing cybersecurity incidents and is designed to support timely escalation, coordinated decision-making, and effective recovery. The IR Plan outlines incident response requirements, reporting processes, protocols for incident evaluation, and procedures for notifying and escalating information to the Company's senior management, and the Board and/or appropriate Board committees, as applicable. The IR Plan is reviewed, tested, and updated under the leadership of the Company's CITO and CIRO. Employee Training The Company's cybersecurity team provides enterprise-wide cybersecurity training for employees to maintain and continuously improve the Company's mitigation against human-driven risk. Cybersecurity training is conducted annually, with supplemental and role-based training required for personnel with elevated system access or responsibilities. The Company also conducts periodic simulations and awareness activities designed to reinforce expected behaviors and reduce the likelihood of cybersecurity incidents. Engagement with External Cybersecurity Professionals The Company engages with third parties to assess the effectiveness of, and assist with, its cybersecurity risk and response systems and processes. These third parties include cybersecurity assessors, consultants, and professionals who help identify, verify, and validate cybersecurity risks and support mitigation as appropriate. Oversight of Third-Party Service Providers The Company's processes also are designed to evaluate the cybersecurity threat risks associated with its use of third-party service providers that have applicable levels of access to the Company's data or information technology systems. The Company performs due diligence on third parties that have access to its systems, data, or facilities that house such systems or data, and it monitors cybersecurity threats identified through such due diligence. 32 TABLE OF CONTENTS Cybersecurity Incident Impact The Company describes whether and how risks from identified cybersecurity threats, including as a result of any previous cybersecurity incidents, have materially affected or are reasonably likely to materially affect it, including its business and operating results, financial condition, and impact on the Company's reputation and customer relationships under the "Risks Related to Technology and Cybersecurity" heading and subheadings thereunder in Part I, Item 1A. "Risk Factors" of this Annual Report, which disclosures are incorporated by reference herein. In July 2018, the Company experienced a ransomware incident which affected certain Dx information technology systems. The incident also temporarily affected certain other information technology systems involved in conducting Company-wide operations. An investigation determined that the ransomware did not and could not transfer patient or client data outside of Company systems and that there was no theft or misuse of patient or client data. This incident did not have a material effect on the Company. On May 14, 2019, Retrieval-Masters Credit Bureau, Inc. d/b/a/ American Medical Collections Agency (AMCA), an external collection agency, notified the Company about a security incident AMCA experienced that may have involved certain personal information about some of the Company's patients (the AMCA Incident). The Company is involved in pending and threatened litigation related to the AMCA Incident, as well as various government and regulatory inquiries and processes. For additional information about the AMCA Incident, see Note 15 Commitments and Contingencies to the Consolidated Financial Statements "Cybersecurity" and "Risk Factors - Risks Related to Technology and Cybersecurity". Governance The Company's Board has oversight responsibility for the Company's enterprise risk management process and it delegates oversight responsibility for certain significant functional areas of risk management to the board's committees. The Audit Committee of the Board is responsible for oversight and review of the Company's cybersecurity and other information technology risks, controls, and procedures, including the potential impact of such risks on the Company's business, financial results, operations, and reputation, as well as the Company's plans to mitigate cybersecurity risks and to respond to cybersecurity incidents. The CIRO and CITO routinely present cybersecurity reports to the Audit Committee at its regularly scheduled meetings. These reports may address cyber risks and threats, the status of projects to strengthen the Company's information security systems, assessments of the Company's security program, prior incidents, and the emerging cyber threat landscape. In addition, the full Board receives briefings from the CIRO and CITO on at least an annual basis. Management is responsible for day-to-day assessment and oversight of cybersecurity risks. At the senior management level, the CITO is responsible for overseeing the Company's information technology systems, technology capabilities, and cybersecurity practices. The CITO has more than 15 years of experience working in information technology-related roles and is a member of the Company's executive leadership team and reports to the Chief Executive Officer. Prior to joining the Company, the CITO held various leadership positions with global companies. The CIRO, under the direction of the CITO, is responsible for overseeing the OIS. In this role, the CIRO oversees the cyber risk management function, which identifies cybersecurity threats, assesses cybersecurity risks, and supports the CITO and the Company in managing such risks. The CIRO has over 30 years of experience in information security, and prior to joining the Company held various chief information security officer roles, including seven years at a global healthcare company. The CIRO has also served on the board of directors of Health-ISAC, an organization of critical infrastructure owners and operators within the health and public health sectors. The CITO and CIRO together lead efforts to design, implement, and operate controls deemed appropriate for the management of cybersecurity risks. OIS manages the policies, control procedures, and control standards designed to identify, protect against, respond to, and recover from cybersecurity threats and cybersecurity incidents. 33 TABLE OF CONTENTS

Company Information