TSS, Inc. - (TSSI)
10-K Filing Date: March 28, 2024
Cybersecurity
We have developed and implemented a cybersecurity risk management program intended to protect the confidentiality, integrity, and availability of our critical systems and information.
We design and assess our program based on the National Institute of Standards and Technology Cybersecurity Framework (NIST CSF). This does not mean that we meet any particular technical standards, specifications, or requirements, but only that we use the NIST CSF as a guide to help us identify, assess, and manage cybersecurity risks relevant to our business.
As part of our cybersecurity risk management system, our IT management team tracks and logs privacy and security incidents across our OEM partners, Microsoft and Oracle and other IT system providers, our vendors, and other third-party service providers to remediate and resolve any such incidents. Any significant incidents are reviewed regularly by a cross-functional working group to determine whether further escalation is appropriate. Any incident assessed as potentially being or potentially becoming material is immediately escalated for further assessment, and then reported to designated members of our senior management. We would consult with outside counsel as appropriate, including on materiality analysis and disclosure matters, and our senior management makes the final materiality determinations and disclosures and other compliance decisions. Our management is tasked with apprising TSS’s independent public accounting firm of matters and any relevant developments.
Our Board considers cybersecurity risk as part of its risk oversight function and has delegated to the Audit Committee oversight responsibility for risks and incidents relating to cybersecurity threats, including compliance with disclosure requirements, cooperation with law enforcement, and related effects on financial and other risks. The Audit Committee oversees management’s implementation of our cybersecurity risk management program, and it reports any findings and recommendations, as appropriate, to the full Board for consideration. Senior management regularly discusses cyber risks and trends and, should they arise, any material incidents with the Audit Committee. The Company’s IT department regularly uses specialist firms to independently test our cybersecurity controls. The IT management team is informed about and monitors the prevention, detection, mitigation and remediation of cybersecurity risks and incidents through various means, which may include, among other things, briefings with security personnel, threat intelligence and other information obtained from government, public or private sources, including external consultants engaged by us, and alerts and reports produced by security tools deployed in our IT environment.
At this time, we have not identified risks from known cybersecurity threats, including as a result of any prior cybersecurity incidents, that have materially affected us, including our operations, business strategy, results of operations, or financial condition. We face certain ongoing risks from cybersecurity threats that, if realized, are reasonably likely to materially affect us, including our operations, business strategy, results of operations, or financial conditions. See “Risk Factors - Security breaches and attacks on our computer systems could lead to significant costs and disruptions that could harm our business, financial results and reputation”.
|