Cyber Incident Victim: Surmodics, Inc.

On June 5, 2025, Surmodics, Inc. discovered that a third party threat actor had gained unauthorized access to certain of its information technology systems, resulting in the unavailability of some IT systems and data. The company promptly initiated containment measures, including proactively taking certain IT systems offline, and activated its security incident response plan. Law enforcement was notified about the incident. Following detection, Surmodics engaged third‑party IT experts to assist with containment, assessment, and remediation efforts. These actions were undertaken while the company continued to monitor the situation and coordinate internal response activities.

As of the filing of the Current Report on Form 8‑K, the company's critical IT systems had been restored and IT data was being validated, while the remaining IT systems and data were being restored and validated according to a recovery plan. Throughout the cyber incident, Surmodics was able to accept customer orders and ship products without any material interruption by using alternatives to its normal IT systems. The company continued to analyze the scope and details of the IT data that the threat actor accessed, and to its knowledge the threat actor had not released any of the company's data or used it for fraudulent purposes. Surmodics maintains cyber insurance that it expects to cover much of its expenditures related to the incident, subject to the policy's deductible and customary exclusions. The company remains subject to various risks stemming from the cyber incident, including the adequacy of processes during the period of IT system disruption, diversion of management's attention, potential litigation, changes in customer behavior, and regulatory scrutiny.