Cybersecurity Risk Management and Strategy; Effect of Risk We face risks related to cybersecurity such as unauthorized access, cybersecurity attacks and other security incidents, including as perpetrated by hackers and unintentional damage or disruption to hardware and software systems, loss of data, and misappropriation of confidential information. To identify and assess material risks from cybersecurity threats, we maintain a comprehensive cybersecurity program to ensure our systems are effective and prepared for information security risks, including regular oversight of our programs for security monitoring for internal and external threats to ensure the confidentiality and integrity of our information assets. We consider risks from cybersecurity threats alongside other company risks as part of our overall risk assessment process. To mitigate these risks, we have implemented technology solutions that are designed to recognize anomalous activity and behavior on systems used by our employees, alongside other technical safeguards including: | ● | Web Application Firewalls (WAF) |
| ● | Intrusion detection systems |
| ● | Endpoint protection and response |
| ● | Security Event and Incident Management (SIEM) |
| ● | Identity and Access management (IAM) |
| ● | Multi-factor authentication |
We utilize a third-party consultancy to provide services including security audits, CISO, risk management and response strategies. This consultancy provides the Chief Technology Officer, who is responsible for leading our cyber security strategy, guidance on policy, standards and processes alongside managing the risk management process. We identify our cybersecurity threat risks by comparing our processes to standards set by the NIST and the ISO specifically basing our policies and procedures on ISO27001 guidelines. To provide for the availability of critical data and systems, maintain regulatory compliance, manage our material risks from cybersecurity threats, and protect against and respond to cybersecurity incidents, we undertake the following activities: | ● | monitor emerging data protection laws and implement changes to our processes that are designed to comply with such laws; |
| ● | through our policies, practices and contracts (as applicable), require employees, as well as third parties that provide services on our behalf, to treat confidential information and data with care; |
| ● | employ technical safeguards that are designed to protect our information systems from cybersecurity threats, including firewalls, intrusion prevention and detection systems, anti-malware functionality and access controls, which are evaluated and improved through vulnerability assessments and cybersecurity threat intelligence; |
| ● | provide regular, mandatory training for our employees and contractors regarding cybersecurity threats as a means to equip them with effective tools to address cybersecurity threats, and to communicate our evolving information security policies, standards, processes and practices; |
| ● | conduct regular phishing email simulations for all employees and contractors with access to our email systems to enhance awareness and responsiveness to possible threats; |
| ● | dark web scanning to determine any leaked credentials both corporate and personal for key employees. |
| ● | leverage the NIST incident handling framework and our MSPs to help us identify, protect, detect, respond and recover when there is an actual or potential cybersecurity incident; |
| ● | carry information security risk insurance that provides protection against the potential losses arising from a cybersecurity incident; and |
Our incident response plan coordinates the activities we take to prepare for, detect, respond to and recover from cybersecurity incidents, which include processes to triage, assess severity for, escalate, contain, investigate and remediate the incident, as well as to comply with potentially applicable legal obligations and mitigate damage to our business and reputation. As part of the above processes, we regularly engage with consultants, auditors and other third parties, including annually having a third-party review our cybersecurity program to help identify areas for continued focus, improvement and compliance. Our processes also address cybersecurity threat risks associated with our use of third-party service providers, including our suppliers and manufacturers or who have access to employee data or our systems. In addition, cybersecurity considerations affect the selection and oversight of our third-party service providers. We perform diligence on third parties that have access to our systems, data or facilities that house such systems or data, and continually monitor cybersecurity threat risks identified through such diligence. Additionally, we generally require those third parties that could introduce significant cybersecurity risk to us to agree by contract to manage their cybersecurity risks in specified ways, and to agree to be subject to cybersecurity audits, which we conduct as appropriate. We describe whether and how risks from identified cybersecurity threats, including as a result of any previous cybersecurity incidents, have materially affected or are reasonably likely to materially affect us, including our business strategy, results of operations, or financial condition, under the heading “We are dependent upon information technology systems, which are subject to cyber threats, disruption, damage and failure” which disclosures are incorporated by reference herein. In the last three fiscal years, we have not experienced any material cybersecurity incidents and the expenses we have incurred from cybersecurity incidents were immaterial. This includes penalties and settlements, of which there were none.
|