|
Cybersecurity Risk Management and Strategy Disclosure
|12 Months Ended
Dec. 31, 2024
|Cybersecurity Risk Management, Strategy, and Governance [Line Items]
|Cybersecurity Risk Management Processes for Assessing, Identifying, and Managing Threats [Text Block]
|
Bioventus maintains a cybersecurity risk management program that is designed to enable us to assess, identify, and manage risk associated with cybersecurity threats (the “Cybersecurity Program”). Our Cybersecurity Program is based on standards promulgated by the National Institute of Standards and Technology (“NIST”) and the United States Cybersecurity and Infrastructure Security Agency (“CISA”) and includes the following elements:
•Identification and assessment of cybersecurity threats based on periodic internal and external assessments and monitoring, information from internal stakeholders, and external publications and resources such as those made available by CISA.
•Technical and organizational safeguards designed to protect against identified threats, including documented policies and procedures, technical controls, and employee education and awareness.
•Processes designed to detect the occurrence of cybersecurity events and to respond to and recover from cybersecurity incidents.
•A third-party risk management process designed to manage cybersecurity risks associated with our service providers, suppliers, and vendors.
Our Cybersecurity Program is regularly evaluated by internal and external experts with the results of those reviews reported to senior management and the Audit and Risk Committee of the Board of Directors. We also actively engage with key vendors, industry participants and threat intelligence communities as part of our continuing efforts to evaluate and enhance the effectiveness of the Cybersecurity Program.
Integration of Risk Management Process
Assessing, identifying, and managing cybersecurity-related risks is integrated into our overall risk management framework. The Cybersecurity Program is integrated into our enterprise risk management program and framework. These programs are designed to foster a company-wide culture of appropriate cybersecurity risk management. Our IT Security team works closely with stakeholders across technology, legal, risk, and business operations to implement and monitor the effectiveness of the Cybersecurity Program.
Engagement of Third Parties in Connection with Risk Management
The Company engages a range of external experts to assist in its assessment, identification, and management of risks from cybersecurity threats. These include cybersecurity consultants and external auditors to review the Company’s cybersecurity posture and responsive efforts. Our relationships with these external partners enable us to leverage their expertise with the goal of maintaining best practices.
Oversight of Third-Party Risks
Our third-party service providers, suppliers, and vendors face their own risks from cybersecurity threats that could impact Bioventus in certain circumstances. We have implemented processes for overseeing and managing these risks. Those processes include assessing the third parties’ information security practices before allowing them to access our information systems or data, requiring the third parties to implement appropriate cybersecurity controls and otherwise agree to contractual requirements designed to address cybersecurity risks in our agreements with them, and conducting ongoing monitoring of their compliance with those requirements.
Risks from Cybersecurity ThreatsAs of the date of this Annual Report, we have not encountered any risks from cybersecurity threats that have materially affected or are reasonably likely to materially affect the Company, including its business strategy, results of operations, or financial condition. However, incidents impacting data processed and systems maintained or operated by us or on our behalf, and incidents otherwise impacting our operations, can and do occur. For example, Change Healthcare, a subsidiary of UnitedHealth Group that acts as an intermediary for processing certain of our claims for reimbursement related to our EXOGEN device to commercial payers experienced an incident in which a cybersecurity threat actor gained access to some of its information technology systems. As a result of the Change Healthcare incident, certain of our patient billing and collections processes were disrupted. We have identified an alternative claim processing intermediary and have resumed claims submissions, but this incident caused delays in a portion of our claims submissions to some commercial payers thereby delaying the related cash remittances to us. As of the date of this Annual Report, UnitedHealth Group is still investigating this incident, including any potential impact on claims and patient data. We do not presently believe that the Change Healthcare incident has materially affected, or is reasonably likely to materially affect the Company, including with respect to our claims collection and cash flows. We continue to evaluate the impact of the Change Healthcare incident on our Company.
|Cybersecurity Risk Management Processes Integrated [Flag]
|true
|Cybersecurity Risk Management Processes Integrated [Text Block]
|
Assessing, identifying, and managing cybersecurity-related risks is integrated into our overall risk management framework. The Cybersecurity Program is integrated into our enterprise risk management program and framework. These programs are designed to foster a company-wide culture of appropriate cybersecurity risk management. Our IT Security team works closely with stakeholders across technology, legal, risk, and business operations to implement and monitor the effectiveness of the Cybersecurity Program.
|Cybersecurity Risk Management Third Party Engaged [Flag]
|true
|Cybersecurity Risk Third Party Oversight and Identification Processes [Flag]
|true
|Cybersecurity Risk Materially Affected or Reasonably Likely to Materially Affect Registrant [Flag]
|false
|Cybersecurity Risk Board of Directors Oversight [Text Block]
|The Audit and Risk Committee of the Board of Directors is primarily responsible for the oversight of risks from cybersecurity threats, and is regularly briefed on the Company’s Cybersecurity Program by the Vice President of Information Technology and/or Director of IT Security, Risk and Compliance. These briefs include updates on the Company’s cyber risks and threats, the status of projects to strengthen our information security systems, assessments of the information security program, and the emerging cybersecurity threat landscape.
|Cybersecurity Risk Board Committee or Subcommittee Responsible for Oversight [Text Block]
|The Audit and Risk Committee of the Board of Directors is primarily responsible for the oversight of risks from cybersecurity threats, and is regularly briefed on the Company’s Cybersecurity Program by the Vice President of Information Technology and/or Director of IT Security, Risk and Compliance.
|Cybersecurity Risk Process for Informing Board Committee or Subcommittee Responsible for Oversight [Text Block]
|The incident response team is also responsible for informing executive management, the Audit and Risk Committee and, where appropriate, the Board of Directors, regarding the detection, mitigation, and remediation of cybersecurity incidents.
|Cybersecurity Risk Role of Management [Text Block]
|
The oversight of Bioventus’ Cybersecurity Program falls under the purview of the Company’s Director of IT Security, Risk and Compliance, who has over 25 years of combined technical and leadership experience, with the past 18 years focused on information security and technology risk management, and holds Certified Information Systems Security Professional (CISSP) and Certified Information Security Manager (CISM) certifications.
The Director of IT Security, Risk and Compliance implements and oversees our processes for regularly monitoring our information systems and detecting and reporting cybersecurity incidents. That process includes convening an incident response team composed of the Director of IT Security, Risk and Compliance, Vice President of Information Technology, Chief Compliance Officer, and General Counsel. The incident response team is responsible for overseeing the assessment of and response to any cybersecurity incident and for monitoring the Company’s mitigation and remediation efforts. The incident response team is also responsible for informing executive management, the Audit and Risk Committee and, where appropriate, the Board of Directors, regarding the detection, mitigation, and remediation of cybersecurity incidents.
|Cybersecurity Risk Management Positions or Committees Responsible [Flag]
|true
|Cybersecurity Risk Management Positions or Committees Responsible [Text Block]
|The Audit and Risk Committee of the Board of Directors is primarily responsible for the oversight of risks from cybersecurity threats, and is regularly briefed on the Company’s Cybersecurity Program by the Vice President of Information Technology and/or Director of IT Security, Risk and Compliance. These briefs include updates on the Company’s cyber risks and threats, the status of projects to strengthen our information security systems, assessments of the information security program, and the emerging cybersecurity threat landscape.
|Cybersecurity Risk Management Expertise of Management Responsible [Text Block]
|The oversight of Bioventus’ Cybersecurity Program falls under the purview of the Company’s Director of IT Security, Risk and Compliance, who has over 25 years of combined technical and leadership experience, with the past 18 years focused on information security and technology risk management, and holds Certified Information Systems Security Professional (CISSP) and Certified Information Security Manager (CISM) certifications
|Cybersecurity Risk Process for Informing Management or Committees Responsible [Text Block]
|The Director of IT Security, Risk and Compliance implements and oversees our processes for regularly monitoring our information systems and detecting and reporting cybersecurity incidents. That process includes convening an incident response team composed of the Director of IT Security, Risk and Compliance, Vice President of Information Technology, Chief Compliance Officer, and General Counsel
|Cybersecurity Risk Management Positions or Committees Responsible Report to Board [Flag]
|true
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef