On June 5, 2025, Surmodics, Inc (the "Company") discovered that a third party (a "Threat Actor") had gained unauthorized access to certain of its information technology ("IT") systems (the "Cyber Incident") and that certain IT systems and data were unavailable to the Company. The Company promptly initiated containment measures, including proactively taking certain IT systems offline, and implemented its security incident response plan. The Company has notified law enforcement about the matter.
Since discovering the Cyber Incident, the Company has worked with third party IT experts to contain, assess, and remediate the incident. As of the time of filing of this Current Report on Form 8-K (this "Form 8-K"), the Company's critical IT systems have been restored and IT data is being validated. The Company's remaining IT systems and data are being restored and validated in accordance with a recovery plan. Throughout the Cyber Incident to date, the Company has been able to accept customer orders and ship products without any material interruption of customer impact using alternatives to its normal IT systems.
The Company continues to analyze the scope and details of the IT data that the Threat Actor accessed. To the Company's knowledge, the Threat Actor has not released any of the Company's data, including third party data held by the Company, or used any such data for any fraudulent purposes.
The Company maintains cyber insurance, which it expects to cover much of its expenditures related to the Cyber Incident, subject to the policy's deductible and customary exclusions. The Company remains subject to various risks due to the Cyber Incident, including the adequacy of processes during the period of disruption of the Company's IT systems, diversion of management's attention, potential litigation, changes in customer behavior, and regulatory scrutiny.
Form 8-K: https://www.sec.gov/Archives/edgar/data/924717/000095017025092526/srdx-20250605.htm
