BRUKER CORP 10-K Cybersecurity GRC - 2026-02-27

Page last updated on February 27, 2026

BRUKER CORP reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2026-02-27 16:04:32 EST.

Filings

10-K filed on 2026-02-27

BRUKER CORP filed a 10-K at 2026-02-27 16:04:32 EST
Accession Number: 0001193125-26-082523

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C CYBERSECURITY The Board's Audit Committee oversees risks relating to cybersecurity threats and the steps management takes to monitor and control such risks. In addition to other written policies and procedures, the Company has instituted an Information Security Incident Response Plan ("IRP") which provides a framework to assist the Company in responding to actual or potential cybersecurity incidents. Such incidents may consist of any actual, threatened, suspected, or reported event or occurrence that may affect the confidentiality, integrity, or availability of Company systems or data, or of any such event affecting a third party that may affect Company systems or data. The objective of the IRP is to facilitate a timely and coordinated enterprise-level response to such incidents to mitigate any impacts on the Company and its employees, stockholders, customers, business partners, and other stakeholders by providing detailed response procedures to be followed in the event of a cybersecurity incident, including with respect to detection, assessment, notification, and recovery. The Audit Committee receives regular reporting from senior officers on operational risk and the steps management has taken to monitor and control these risks. Such reporting includes updates on the Company's IRP, the external threat environment, and the Company's programs to address and mitigate the risks associated with the cybersecurity threat environment. The IRP and internal controls around cybersecurity are periodically evaluated by external experts and the results of those reviews are reported to the Audit Committee . We continue to develop and refine our processes and strategies in response to assessments by such external experts, industry best practices, and the shifting threat landscape including Artificial Intelligence related threats. Th e Company has established a corporate-level, global Information Security Incident Response Team ("ISIRT"), which provides a centralized, coordinated response to, and management of, cybersecurity incidents that may present significant risk to the Company's operations, valuation, brand or reputation, employees, or customer or business relationships. The Company's cybersecurity response team is comprised of multiple subject-matter experts who have each served in various roles in information technology ("IT"), cybersecurity, and risk management with more than 60 years of combined experience. These individuals' knowledge and experience along with the culture and talent of the corporate IT security team organization are instrumental in developing and executing our cybersecurity strategies. Core members of the ISIRT are the Vice President, Financial Operations and Project Management ("Financial Ops"); Senior Vice President, General Counsel, and Corporate Secretary ("General Counsel"); Chief Information Security Officer ("CISO"), who reports to the Chief Information Officer; Chief Privacy Officer ("CPO"); Vice President, Corporate Treasurer; Director, Risk Management & Insurance; and Cyber Security Manager . Bruker's ISIRT team is led by the Company's CISO. Bruker's Chief Information Officer has served as a technology leader for over 25 years leading cybersecurity, information technology, engineering, and operational functions. Bruker's CISO has served for more than 25 years in various information security roles, including serving as Managing Partner for a Managed Security Service Provider prior to joining Bruker. If a cybersecurity incident warrants activation of the ISIRT, the Company's CISO and General Counsel will notify, as appropriate, the Company's executive leadership and the Audit Committee. We also engage specialized third-party consultants to proactively support our cybersecurity efforts, which include, but are not limited to, application and network security, information risk management, as well as business continuity and disaster recovery. Cybersecurity incidents may occur at, or be reported to, any of the Company's facilities worldwide. The Company has an IT Service Desk which acts as the single point of contact for cybersecurity incident reporting. Employees can notify the IT Service Desk of any event that they observe or is reported to them that may constitute a cybersecurity incident. Once notified, the Information Security team conducts an initial assessment, escalating incidents as required or permitted in accordance with the IRP. The CISO, in consultation with the General Counsel, CPO, and Financial Ops, will decide whether to activate the ISIRT in connection with an escalated incident. When activated, the ISIRT coordinates and directs all aspects of the response, including, as applicable, investigation, containment, business continuity and recovery, remediation, notifications, communications, and post-incident activities. As o f the date of this Annual Report on Form 10-K, no identified risk has required activation of the ISIRT. In addition, our third-party service providers play a role in our risk management and strategy, as well as with the investigation of cybersecurity incidents, where appropriate. Based upon the assessment of the type of incident and risk presented, the ISIRT may engage outside counsel and/or external resources, such as forensic consultants, to conduct or assist with cybersecurity investigations in order to provide advice to the Company. The vendors with which we engage are globally recognized companies with cybersecurity expertise. We conduct due diligence before onboarding new vendors and maintain ongoing evaluations to ensure compliance with our security standards. The Company also conducts appropriate cybersecurity exercises and training. For example, employees must complete cybersecurity training on at least an annual basis, which educates our employees on the Company's policies and procedures for handling personal data, incident reporting, and avoiding common cybersecurity threats such as phishing attacks. For a discussion of information technology rights that may materially impact us, see Item 1A " Risk Factors - We rely on information technology to support our operations and reporting environments. A security failure of that technology, including with respect to cybersecurity, could impact our ability to operate our businesses effectively, adversely affect our financial results, damage our reputation and expose us to potential liability or litigation ."

Company Information