Emergent BioSolutions Inc. 10-K Cybersecurity GRC - 2026-02-26

Page last updated on February 27, 2026

Emergent BioSolutions Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2026-02-26 17:46:15 EST.

Filings

10-K filed on 2026-02-26

Emergent BioSolutions Inc. filed a 10-K at 2026-02-26 17:46:15 EST
Accession Number: 0001367644-26-000015

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBERSECURITY CYBERSECURITY The Company's cybersecurity program is aligned and integrated into the overall company risk management process through its Enterprise Risk Management ("ERM") Program . At Emergent, ERM is a centralized process that prioritizes, and groups the top risks to our organization into 12 categories, one of which is Cybersecurity. We conduct an Enterprise Risk Assessment ("ERA") annually to proactively identify, assess, respond, monitor, and report risks to our enterprise. Identified risks are assessed and we accordingly will either accept the risk or take action to reduce or avoid the risk. Mitigations against risks are developed, as necessary, and all risks are monitored, reviewed quarterly, and reported to executive leadership and the Board of Directors. The ERM program and ERA process is described in the Company's Enterprise Risk Management Policy. The program includes enterprise level risks grouped in 12 risk categories. Cybersecurity is included as a standing risk category. The ERM program does not itself independently review cybersecurity policies and practices. ERM, in collaboration with Emergent's Policy and Training Center of Excellence, provides training on Emergent's Enterprise Risk Management Policy to all employees who are at the vice president level and above. As part of our ongoing ERM enhancements, our ERM intranet page was launched in 2024 to centralize risk-related resources and policies. The Company periodically performs a comprehensive reassessment of the Company's enterprise risks, with results thoroughly reviewed and communicated to executive leadership (VP and above) to align on key risks and strategic priorities. Annually, we provide an ERM training to all participants in advance of the Company's annual ERA. Full retraining on the ERM policy will occur every three years. The Company leverages the Committee of Sponsoring Organizations'("COSO") guidelines as the foundation for our ERM program and leverage external expertise. The Company proactively reviews the threat landscape, impacts to the company, and addresses any gaps where necessary. Also, we maintain security operations metrics and incident response plan and conduct tabletop exercises. The Company engages outside consultants to review both its Cybersecurity posture and maturity, and to perform cyber assessments for the Company's manufacturing/operational technology environments. The Company utilizes its Third-Party Risk Management Assessment Process to oversee and identify material risks from cybersecurity threats associated with its use of any third-party service provider. We utilize the NIST framework, which covers 23 categories. When applicable, we may inquire if the third-party vendor is SOC1/2, GDPR, certified. Additionally, the Company maintains cybersecurity insurance to help mitigate the impacts of potential cybersecurity incidents. The Company's Senior Vice President and Chief Information Officer, who is currently acting as the Company's interim Chief Information Security Officer ("CISO"), is responsible for assessing and managing the Cybersecurity risks with comprehensive oversight of information security functions with an emphasis on strategic leadership, governance, risk management and technical proficiency. The Company is actively in the process of identifying a permanent CISO. Moreover, the Company's CISO provides cybersecurity updates to the entire board of directors and the board's Quality, Compliance, Manufacturing and Risk Management Committee (the "Committee"). The purpose of the Committee is to assist the Board in fulfilling its oversight responsibilities relating to the Company's compliance with laws, regulations, and industry standards that, if breached, may cause significant business, regulatory, or reputational damage to the Company, including oversight of the Company's: - Compliance with good ("x" = manufacturing, clinical, laboratory, pharmacovigilance, storage, distribution etc.) (GxP) and medical device Quality Management Systems Regulations (QMSR); - Healthcare compliance, anti-corruption, privacy and data security landscape, medical product safety, supply chain, employee health and safety, political expenditures and lobbying activities, and government contracting; - ERM program; and - Cyber and information security risks. The Committee is the primary oversight body to monitor the Company's cybersecurity and related information technology risks and receives periodic updates from Company management (including the Chief Information Officer and the interim CISO) on the Company's policies, processes, procedures, and any significant developments related to the identification, mitigation, and remediation of cybersecurity risks. The Chair or Vice-Chair of the Committee meets as necessary with the Chief Information Officer and the interim CISO to engage in a more detailed review of the Company's cybersecurity and information security activities. The Committee charter also requires that the Committee ensure that Company management provides an annual cyber and information security update to the Board of Directors. Current Committee members are: Zsolt Harsanyi, Ph.D., Sujata Dayal, Don DeGolyer and Kathryn C. Zoon, Ph.D., all of whom are independent directors. The interim CISO reports to the Committee twice per year and also reports to the Board twice per year. 58 The Company has not incurred a material cybersecurity incident over the past three years. The Company is not aware that any risks from cybersecurity threats, including because of any previous cybersecurity incidents, have materially affected or are reasonably likely to materially affect the company. For additional information related to cybersecurity related risks, refer to Part 1 Item 1A. Risk Factors. The Company proactively reviews threats landscape, impacts to the company, and address any gaps where necessary. Also, we maintain security operations metrics, incident response plan, conduct tabletop exercises and perform an internal phishing campaign and awareness program. In addition, the Company has managed Security Service Provider (MSSP) that maintains 24 hours per day, 7 days per week, monitoring of the Company's environment. 59

Company Information