Guardion Health Sciences, Inc. - (GHSI)
10-K Filing Date: March 28, 2024
Cybersecurity Risk Management and Strategy
Our Board of Directors is responsible for overseeing our risk management and strategy and cybersecurity is a critical element of this strategy. Management is responsible for the day-to-day administration of our risk management strategy and our cybersecurity policies, processes, and practices. We do not believe that there are currently any known risks from cybersecurity threats that are reasonably likely to materially affect us or our operations, business strategy, results of operations or financial condition. For a description of the risks from cybersecurity threats that may materially affect us and how they may do so, refer to Part I, Item 1A. Risk Factors for additional information about cybersecurity risks and potential related impacts on our Company.
35 |
Cybersecurity Insurance and Internal Audits
The annual renewal of our cybersecurity insurance policy includes an internal audit of cybersecurity defense, response, recovery, and remediation protocols. The independent third-party audit is based on criteria designed to meet cybersecurity industry standards.
Employee Awareness and Compliance
Our IT policies including cybersecurity have been developed in conjunction with independent third parties that specialize in cybersecurity, cloud, and digital infrastructure. The policies include employee security awareness, employee onboarding and offboarding, incident response protocols, business continuity including backup protocols, and disaster recovery. Dedicated Company IT personnel supported by independent third-party cybersecurity resources are responsible for implementing and monitoring cybersecurity measures, conducting risk assessments, and ensuring compliance with regulatory requirements. The IT team regularly attends webinars providing cybersecurity training and industry updates to stay abreast of trends and apply learning throughout the Company.
We implement ongoing employee cybersecurity awareness programs across the Company. The programs include cybersecurity best practices, phishing simulation exercises and targeted communication campaigns. Mandatory annual cyber awareness employee training developed by a third-party specialist is conducted to enhance management’s ability to detect and respond to cyber threats. The online training includes a system for scoring and reporting on the program’s efficacy to enable improvements to be made to subsequent training modules.
Data Protection, Endpoint Management and Threat Intelligence
Encryption protocols have been implemented to safeguard sensitive data. They include the protection of data both at rest and during transmission. We manage access controls to restrict data acquisition and system entry to authorized personnel only and enforce compliance with pre-set permission levels via Microsoft systems. We work with a third-party IT resource with an endpoint management system to monitor and secure all endpoints within the Company’s cloud-based network and invest in continuous threat intelligence resources and technologies to detect, analyze, and respond to emerging cyber threats.
Cyberattack Response
The Company’s cyberattack response plan has been developed in conjunction with independent third parties that specialize in cybersecurity, cloud, and digital infrastructure. The plan includes incident response protocols, disaster recovery strategies, business continuity measures, stakeholder communication and SEC compliance reporting. Simulated cyberattacks are conducted to assess the efficacy of the cyberattack response plan and identify areas of potential risk. Regularly scheduled cybersecurity initiatives include penetration testing to proactively identify and address vulnerabilities in the Company’s systems. Each penetration test is documented and reported. Post-test actions are implemented to drive continuous improvement across our systems.
Cybersecurity Governance
Cybersecurity is a key priority at the board level. Our Board of Directors provides governance of cyber-related risk management by establishing management and oversight expectations. The Board approves cybersecurity policies, including the annual cybersecurity insurance policy, and ensures regulatory compliance with the policies.
The Board of Directors facilitates ongoing information exchange, including updates on SEC requirements for reporting on cybersecurity risk management and improving and standardizing disclosures related to cybersecurity incidents. Management regularly updates the Board on IT matters, including cybersecurity.
36 |