Perspective Therapeutics, Inc. - (CATX)
10-K Filing Date: March 28, 2024
We are increasingly dependent on sophisticated software applications, computing, and cloud infrastructure to conduct key operations. We depend on both our own systems, networks, and technology as well as the systems, networks and technology of our contractors, consultants, vendors and other business partners.
Cybersecurity Program
Given the importance of cybersecurity to our business, we maintain a cybersecurity program to support both the effectiveness of our systems and our preparedness for information security risks. This program includes a number of administrative, physical and technical safeguards, including contracted 24/7/365 Security Operating Center monitoring services and alerting systems for internal and external threats; regular evaluations of our cybersecurity program, including periodic internal and external audits; and industry benchmarking. We also require cybersecurity trainings when onboarding new employees and conduct cybersecurity awareness testing for our employees. Our program leverages industry frameworks, including the National Institute of Standards and Technology Cybersecurity Framework to strengthen our program effectiveness and reduce cybersecurity risks.
We use a risk-based approach with respect to our use and oversight of third-party service providers. We use various means to assess cyber risks related to our third-party service providers, including conducting due diligence in connection with onboarding new vendors and ongoing due diligence with key third-party vendors. We also seek to collect and assess cybersecurity audit reports and other supporting documentation when available where applicable as part of our oversight of third-party providers.
Process for Assessing, Identifying and Managing Material Risks from Cybersecurity Threats
In the event of a cybersecurity incident, we maintain a regularly tested cybersecurity incident response program. Pursuant to the program and its escalation protocols, designated personnel are responsible for handling and managing potential cybersecurity incidents.
We have relationships with a number of third-party service providers to assist with cybersecurity incident containment and remediation efforts.
Governance
Management Oversight
The controls and processes employed to assess, identify and manage material risks from cybersecurity threats are implemented and overseen by our Chief Financial Officer (“CFO”) in connection with our managed service provider. Our managed service provider is a System and Organization Controls ("SOC") 2 accredited IT services firm which completes required annual audits, providing evidence of ongoing compliance to maintain the SOC 2 designation. They have over a decade of experience delivering services and consulting for regulatory security requirements. Our managed service provider is responsible for the day-to-day management of the cybersecurity program, including the prevention, detection, investigation, response to, and recovery from cybersecurity threats and incidents, and are regularly engaged to help ensure the cybersecurity program functions effectively in the face of evolving cybersecurity threats. The managed service provider provides regular briefings for our senior management team on cybersecurity matters, including threats, events and program enhancements.
Board Oversight
The Board of Directors ("Board") has overall responsibility for risk oversight and oversees cybersecurity risk matters. The Board is responsible for reviewing, discussing with management and overseeing the Company’s data privacy, information technology and security and cybersecurity risk exposures. On a regular basis, the CFO reports to the Board or the Audit Committee of the Board on information technology and cybersecurity matters, including key risks, the potential impact of those exposures on the Company’s business, financial results, operations and reputation, the programs and steps implemented by management to monitor and mitigate exposures, the Company’s information governance and cybersecurity policies and programs, and significant legal/regulatory developments that could materially impact the Company’s cybersecurity risk exposure.
The CFO also apprises the Board of cybersecurity incidents promptly for more significant incidents and in the aggregate for less significant incidents.
Cybersecurity Risks
Our senior management identify, assess and evaluate risks impacting our operations across the Company, including those risks related to cybersecurity. Senior management is asked to consider the severity and likelihood of certain risk factors, drawing upon their company knowledge and past business experience.
We maintain specific coverage to mitigate losses associated with cybersecurity incidents that impact our or our third parties' systems, networks, and technology.
As of December 31, 2023, we are not aware of any material risks form cybersecurity threats, including as a result of any previous cybersecurity incidents, that have materially affected the business strategy, results of operations or financial condition of the Company or are reasonably likely to have such a material effect. While we maintain a comprehensive cybersecurity program, the techniques used to infiltrate information technology systems continue to evolve. Accordingly, we may not be able to timely detect threats or anticipate and implement adequate security measures. For additional information, see “Item 1A—Risk Factors.”