|
Cybersecurity Risk Management, Strategy and Governance
|12 Months Ended
Sep. 30, 2024
|Cybersecurity Risk Management, Strategy, and Governance [Line Items]
|Cybersecurity Risk Management Processes for Assessing, Identifying, and Managing Threats [Text Block]
|
ITEM 1C. CYBERSECURITY.
Risk Management and Strategy
Surmodics has adopted the National Institute of Standards and Technology (“NIST”) Cybersecurity Framework as the basis for our approach to assessing, identifying, and managing material risks from cybersecurity threats. Using a nationally recognized vendor partner, we conduct yearly cybersecurity assessments (including policy and procedures) and penetration testing based on the NIST Cybersecurity Framework and principles. From the assessment results, we create a roadmap and prioritize it to address any noted deficiencies with our identification, protection, detection, response and recovery functions. This roadmap is used as a basis for our yearly cybersecurity planning initiatives to continually improve our systems, tools, architecture, training campaigns, monitoring and policies.
Also using a nationally recognized vendor partner, we have continuous (24x7x365) monitoring of our cloud solutions, perimeter and internal networks in addition to sharing of threat intelligence and remediation steps. Threat intelligence is evaluated, prioritized, and remediated on a continual basis throughout the year.
With the help and guidance of a vendor partner, we conduct quarterly end-user training campaigns designed to educate our end-user community on the social engineering methods used by sources of cybersecurity threats. In addition, monthly security updates are provided to the end-user community with information on current threats and general cybersecurity information.
On an annual basis, we collaborate with the third-party consulting firm that performs internal audit services for us to conduct a risk assessment of information systems controls for managing changes, operations, security and system development life cycles. In addition, we review System and Organization Controls (“SOC”) 1 or SOC 1 Type 2 reports for third-party service providers deemed significant to our environment. We perform the risk assessment and review of service providers in connection with Management’s annual assessments of the effectiveness of internal control over financial reporting. They serve as the basis for developing an internal audit plan to test information systems controls as they relate to the effectiveness of internal control over financial reporting. The results of the internal audit conducted under that audit plan are reviewed by the Audit Committee of the Board of Directors (the “Audit Committee”).
For any vendors providing or supporting critical business information systems, we require confidentiality provisions as part of a services agreement defining our business relationship and our requirements for protecting our data.
We maintain a security incident response plan that designates an incident response team comprised of information technology leadership and cybersecurity personnel as well as relevant third-party service providers. The objective of the plan is to provide for the timely diagnosis and mitigation of cyber events. The incident response team, in conjunction with the Company’s legal counsel, is responsible for determining whether a cybersecurity incident is material and requires reporting to our cyber insurance carrier and/or reporting pursuant to the disclosure requirement of the SEC.
To date of this Annual Report on Form 10-K, to the actual knowledge of the executive officers of the Company, no risks from cybersecurity threats, including as a result of any previous cybersecurity incidents, have materially affected or are reasonably likely to materially affect the Company. However, we are subject to ongoing risks from cybersecurity threats that could materially affect us, including our business and reputation, as further described in Part I, Item 1A, "Risk Factors" of this Annual Report on Form 10-K.
Governance
Our Board of Directors addresses our cybersecurity risk management as part of its general oversight function. The Audit Committee is responsible for overseeing our cybersecurity risk management processes, including oversight and mitigation of risks from cybersecurity threats.
The Senior Director of Information Technology, in collaboration with our Cybersecurity Analyst, is responsible for setting the strategic direction and priorities for information security, coordination of enterprise-wide compliance with information security policies and procedures, as well as day-to-day information security management. The Cybersecurity Analyst role reports directly to the Senior Director of Information Technology. The Senior Director of Information Technology has a 34 years of information technology experience, including with cyber threats.
As necessary, but not less than once per year, the Senior Director of Information Technology makes a presentation on cyber threats and the Company’s efforts to mitigate them to the Company’s Chief Executive Officer, Chief Financial Officer, and the Audit Committee. In addition, the results of annual internal audits of the effectiveness of internal control over financial reporting, including relevant information systems, are reviewed by the Audit Committee.
|Cybersecurity Risk Management Third Party Engaged [Flag]
|true
|Cybersecurity Risk Third Party Oversight and Identification Processes [Flag]
|true
|Cybersecurity Risk Materially Affected or Reasonably Likely to Materially Affect Registrant [Flag]
|false
|Cybersecurity Risk Board of Directors Oversight [Text Block]
|
Our Board of Directors addresses our cybersecurity risk management as part of its general oversight function. The Audit Committee is responsible for overseeing our cybersecurity risk management processes, including oversight and mitigation of risks from cybersecurity threats.
|Cybersecurity Risk Board Committee or Subcommittee Responsible for Oversight [Text Block]
|The Audit Committee is responsible for overseeing our cybersecurity risk management processes, including oversight and mitigation of risks from cybersecurity threats.
|Cybersecurity Risk Role of Management [Text Block]
|
The Senior Director of Information Technology, in collaboration with our Cybersecurity Analyst, is responsible for setting the strategic direction and priorities for information security, coordination of enterprise-wide compliance with information security policies and procedures, as well as day-to-day information security management. The Cybersecurity Analyst role reports directly to the Senior Director of Information Technology. The Senior Director of Information Technology has a 34 years of information technology experience, including with cyber threats.
As necessary, but not less than once per year, the Senior Director of Information Technology makes a presentation on cyber threats and the Company’s efforts to mitigate them to the Company’s Chief Executive Officer, Chief Financial Officer, and the Audit Committee. In addition, the results of annual internal audits of the effectiveness of internal control over financial reporting, including relevant information systems, are reviewed by the Audit Committee.
|Cybersecurity Risk Management Positions or Committees Responsible [Flag]
|true
|Cybersecurity Risk Management Positions or Committees Responsible [Text Block]
|The Senior Director of Information Technology, in collaboration with our Cybersecurity Analyst, is responsible for setting the strategic direction and priorities for information security, coordination of enterprise-wide compliance with information security policies and procedures, as well as day-to-day information security management. The Cybersecurity Analyst role reports directly to the Senior Director of Information Technology.
|Cybersecurity Risk Management Expertise of Management Responsible [Text Block]
|The Senior Director of Information Technology has a 34 years of information technology experience, including with cyber threats.
|Cybersecurity Risk Process for Informing Management or Committees Responsible [Text Block]
|As necessary, but not less than once per year, the Senior Director of Information Technology makes a presentation on cyber threats and the Company’s efforts to mitigate them to the Company’s Chief Executive Officer, Chief Financial Officer, and the Audit Committee.
|Cybersecurity Risk Management Positions or Committees Responsible Report to Board [Flag]
|true
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef