Vivos Therapeutics, Inc. - (VVOS)

10-K Filing Date: March 28, 2024
Item 1C. Cybersecurity.

 

Risk management and strategy

 

We understand the importance of preventing, assessing, identifying, and managing material risks associated with cybersecurity threats. Processes to manage risks from cybersecurity threats have been incorporated as a part of our overall risk assessment process. Our cybersecurity risks include theft of business data, fraud or extortion, lack of access to our information systems, harm to employees, harm to business partners, violation of privacy laws, potential reputational damage, and litigation or other legal risk if a cybersecurity incident were to occur. It is difficult to assign a monetary materiality assessment to these risks or to the impact if we were to sustain a breach of our systems. Our approach is based on the premise that any cybersecurity incident could result in material harm to our company.

 

We utilize a seasoned and mature artificial intelligence-based security system that learns and monitors the actions of individuals that have access to our networks and systems, including location of access (notably from international locations), email, and SAAS platforms that we don’t host. The system not only protects based off of the specific rules implemented, it also takes action based on user activity (including remote access to our systems by our employees) that is outside their normal behavior pattern. Additionally, our employees go through cybersecurity awareness training as part of their onboarding procedures.

 

If a threat is detected, our system automatically notifies our internal information systems management (“ISM”) team of all activities and ranks those activities based on their level of threat to the system and/or deviation of behavior from normal. Severe threats notify the ISM team via text message, regardless of hours of operation. In addition to the notification, the system will automatically take action to secure the system, up to and including blocking user accounts and access. The ISM team will then review the notification, assess the action that was taken against the actual threat, and then clear the condition or take further action.

 

To mitigate risk, we periodically evaluate and assess the threat landscape and our security controls, through assessments, regular network and endpoint monitoring. We also have processes to oversee and identify material cybersecurity risks associated with our use of third-party service providers, including performing diligence on certain third parties that have access to our systems, data or facilities that store such systems or data, continually monitoring cybersecurity threat risks identified through such diligence

 

Under our framework, cybersecurity issues, including those involving vulnerabilities introduced by our use of third-party software, are analyzed by subject matter experts for potential financial, operational, and reputational risks, based on, among other factors, the nature of the matter and breadth of impact.

 

As of the date of this Report, there have been no cybersecurity threats that have materially affected or are reasonably likely to materially affect our business, operations, or financial condition.

 

Governance

 

Matters determined to present potential material impacts to our financial results, operations, and/or reputation would immediately be reported by our Senior Vice President of Technology to our Chief Financial Officer and escalated, as appropriate, to our board of directors or individual members or committees thereof, in accordance with our escalation framework. Given the lack of material cybersecurity incidents relating to our company, we have not been required to escalate any matters to our board of directors, although management keeps the board of directors periodically informed of cybersecurity matters. In addition, we have established procedures to ensure that members of our management responsible for overseeing the effectiveness of disclosure controls are informed in a timely manner of known cybersecurity risks and incidents that may materially impact our operations and that timely public disclosure is made, as appropriate.