Accelerate Diagnostics, Inc - (AXDX)
10-K Filing Date: March 28, 2024
Item 1C. Cybersecurity
Risk Management and Strategy
We recognize the importance of developing, implementing and maintaining robust cybersecurity measures to safeguard our information systems and protect the confidentiality, integrity, and availability of our data. As such, we have implemented cybersecurity programs designed to maintain compliance with applicable laws and regulations governing ethical business practices, including our relationships with suppliers, customers, and business partners.
We maintain formal processes for our cybersecurity program and incident response procedures, which are updated at least annually. These processes include, among other things, detailed steps on how we assess cyber risks, identify threats, and determine the materiality of cyber incidents. These processes also designate certain roles within the company to execute these policies and certain leadership roles to manage material risk escalation. These processes endeavor to follow the National Institute of Standards and Technology (NIST) Cybersecurity Framework.
Our Information Security team uses automated technology, third-party partners, and direct review of system indicators to monitor and implement the prevention, detection, mitigation, and remediation of cybersecurity incidents, and to stay current with the changing threat landscape. We also leverage encryption technologies and other measures to safeguard systems. We engage third parties as part of our cyber program, including external security firms that provide security technology, conduct regular security audits, and conduct penetration testing.
We also engage third-party service providers to assist with managing various other aspects of our business. We review SOC 1 and similar documentation from these third-party service providers annually to better understand the information security programs maintained by them.
45s
Our employees are responsible for complying with our data security standards and are required to complete annual training to understand the behaviors and technical requirements necessary to keep data secure. We also require that cybersecurity training be part of the onboarding process for new hires.
As of December 31, 2023, cybersecurity risks have not materially affected our business strategy, results of operation, or financial condition.
Governance
Cybersecurity is an important component of our enterprise risk management program. While the full board of directors (the “Board”) has primary responsibility for risk oversight, the Board utilizes its committees, as appropriate, to monitor and address the risks that may be within the scope of a particular committee’s expertise or charter and receives updates at Board meetings on committee activities.
The Audit and Governance Committee has oversight over the adequacy of the Company’s enterprise risk management and internal controls, including computerized information system controls and security, and regularly reviews our cybersecurity, including IT risks, controls, procedures, and plans to mitigate cybersecurity risks and respond to security incidents. Due to the importance of cybersecurity, the full Board receives a report on at least an annual basis from the IT Director, on, among other issues, our cyber risks and threats, the status of projects, management’s strategies to strengthen our IT systems, assessments of our security program, third-party assessments and testing, our emerging threat landscape, and the review of our cybersecurity insurance policy. Updates will be held more frequently with the Audit and Governance Committee as deemed appropriate for significant changes to the Company’s IT systems or cybersecurity processes. Pursuant to our incident response procedures, material cyber incidents will be reported to the Audit and Governance Committee upon a determination of material status.
Management is responsible for our company’s day-to-day risk management activities. Our cybersecurity program is led by our IT Director, who is responsible for assessing and managing cybersecurity risks. He has 12 years of experience as a leader in both the medical and defense industries. As cybersecurity-centric manager our IT Director has also achieved high-level security clearance and held the title of Information System Security Officer for other organizations.
As cybersecurity risks arise, our IT Director executes an incident response procedure and communicates the appropriate details to management in alignment with the escalation steps in the procedure. In addition, our IT Department conducts quarterly IT systems audits which include system log audits, backup and recovery assessment, account review, and project status.