DENTSPLY SIRONA Inc. 10-K Cybersecurity GRC - 2026-02-26

Page last updated on February 26, 2026

DENTSPLY SIRONA Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2026-02-26 16:54:01 EST.

Filings

10-K filed on 2026-02-26

DENTSPLY SIRONA Inc. filed a 10-K at 2026-02-26 16:54:01 EST
Accession Number: 0000818479-26-000075

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity Risk Management and Strategy The Company maintains a comprehensive process for assessing, identifying, and managing material risks from cybersecurity threats. These include risks relating to disruption of business operations or financial reporting systems, intellectual property theft, exposure to fraud or extortion, harm to employees or customers, violation of privacy laws or other regulatory and compliance lapses, reputational risk, and inability to consistently deliver digital technologies. For more information on the Company's risks related to cybersecurity, refer to "Risk Factors" in Item 1A of this Annual Report on Form 10-K. Identifying and assessing cybersecurity risk is fully integrated into our overall risk management systems and processes. The Company has established a cybersecurity and information security program that includes risk assessment and mitigation through a threat intelligence-driven approach, application controls, and enhanced security with ransomware defense. We leverage the standards set by the National Institute of Standards and Technology ("NIST") Cybersecurity Framework as well as industry best practices to measure our security posture and manage risk. Our security program under this framework utilizes policies, software, training programs and hardware solutions to protect and monitor our environment, including multi-factor authentication on all critical systems, firewalls, intrusion detection and prevention systems, vulnerability and penetration testing and identity management systems. With oversight from our Board of Directors, the Company has formally adopted and annually updates a Security Incident Response Plan which coordinates the activities we undertake to prepare for, detect, respond to and recover from cybersecurity incidents. These activities include processes to triage, assess the severity of, escalate, contain, investigate, and remediate 25 incidents, as well as to comply with potentially applicable legal obligations and mitigate brand and reputational damage. Our incident response plan establishes a framework for measuring the severity of security incidents and provides for a post-market response program including protocols for coordination and communication between security response teams, designated leaders within the Company, internal and outside legal counsel, and the Audit and Finance Committee ("AFC") of the Company's Board of Directors in responding to any such incidents. Our cybersecurity and information security program also includes review and assessment by external, independent third parties, with whom we periodically consult on threat assessments and security enhancements, and incident response preparedness. We share threat intelligence and collaborate with organizations across different industries to share best practices, fight cybercrime, enhance privacy, discuss new technologies, better understand the evolving regulatory environment, and advance capabilities in these areas. Additionally, the Company uses a third-party risk management program that assesses risks from vendors and suppliers. In response to these assessments, we have developed contingency plans for business continuity if our vendors are subject to a cyberattack that impacts our use of their systems. Our Information Security team conducts annual information security awareness training for employees involved in our systems and processes that handle customer data and audits of our systems and conducts enhanced training for specialized personnel. We also conduct cyber awareness training and simulate responses to cybersecurity incidents and use the findings to improve our practices, procedures, and technologies. The Company provides security awareness education and training for all employees and consultants, conducts monthly internal "phishing" testing and mandatory training for "clickers," and publishes periodic cybersecurity newsletters to highlight any emerging or urgent security threats. Our business strategy, results of operations and financial condition have not been materially affected by risks from cybersecurity threats, including the impact of previous cybersecurity incidents, but we cannot provide assurance that they will not be materially affected in the future by such risks and any future material incidents. In the last three years, we are not aware of having experienced any material information security breach incidents. The Company maintains cybersecurity insurance, and as part of management oversight we regularly review our policy and levels of coverage based on current risks. Governance Management's Role Managing Risk The cybersecurity risk management processes described above are managed by our Chief Information Security Officer ("CISO"), who has over 20 years of experience in matters of cybersecurity and information systems including senior roles at other global publicly traded companies in various industries. His in-depth knowledge and experience are instrumental in developing and executing our cybersecurity strategies. Our CISO oversees our governance programs, tests our compliance with standards, remediates known risks, and leads our employee training program. Board of Directors Oversight Our Board of Directors is committed to mitigating data privacy and cybersecurity risks and has charged the AFC with oversight of data privacy and cybersecurity risks. Our CISO provides updates to either the AFC or to the full Board of Directors on a quarterly basis on a broad range of topics, including: - current cybersecurity landscape and emerging threats; - the status of ongoing cybersecurity initiatives and strategies; - compliance with regulatory requirements and industry standards; and - updates on the Company's performance preparing for, preventing, detecting, responding to and recovering from cyber incidents. The CISO also promptly informs and updates the Company's Board of Directors about any information security incidents that may pose significant risk to the Company. Our guidelines require that any significant cybersecurity matters, including strategic risk management decisions, are escalated to the Board of Directors to ensure that they have comprehensive oversight. The AFC conducts an annual review of the Company's cybersecurity posture and the effectiveness of its risk management strategies, including input from external experts, and the results of those reviews are reported to the Company's Board of Directors. 26

Company Information