SONIM TECHNOLOGIES INC - (SONM)
10-K Filing Date: March 27, 2024
Risk Management and Strategy
We are committed to protecting information and the underlying information systems involved in the functionality of our products and the operation of our business. We assess, identify, and manage material risks from cybersecurity threats through various processes and procedures, including:
(i) | assessing risks, ad hoc, to identify the potential impact and likelihood of various risks and scenarios and to determine appropriate mitigation strategies and controls; | |
(ii) | third-party manufacturer, partner, and supplier selection processes; | |
(iii) | utilizing procedures for responding to cybersecurity incidents; | |
(iv) | training our employees, incident response personnel, and senior management on cybersecurity awareness; | |
(v) | monitoring the responsibilities of our information technology team and evaluating our cybersecurity posture and performance on an ongoing basis; | |
(vi) | conducting regular vulnerability scans and tests utilizing threat intelligence feeds in the assessment of hardware and software; and | |
(vii) | using external service providers and other third parties, where appropriate, to assess, test, or otherwise assist with aspects of our systems addressing cybersecurity threats. |
Although we are still in the process of developing a formal incident response plan, our team is trained and had practical experience to cover all phases of the incident management process, including identification, containment, eradication, recovery, and post-incident analysis. Significant cybersecurity incidents are elevated within the hierarchy of management and assessed by a cross-functional, executive management-level team, which is responsible for making the necessary strategic decisions, prioritizing actions that can minimize the impact of the cybersecurity incidents on us and our customers, and determining the materiality of such incidents.
In the past we were subject to attempts to compromise our information technology systems, and, like all information technology systems, our systems are potentially vulnerable to damage, unauthorized access, or interruption from a variety of sources. As of the date of this annual report on Form 10-K, we are not aware of any such attacks that have materially affected, or are reasonably likely to materially affect, us, including our business strategy, results of operations, or financial condition, but we cannot provide assurance that they will not be materially affected in the future by such risks or any future material incidents. In addition, our third-party service providers and other partners face similar cybersecurity threats, and although we assess these third parties’ cybersecurity controls through a cybersecurity assessment, which may include a cybersecurity questionnaire depending on our risk evaluation, and include security and privacy addendums to our contracts where applicable, a cybersecurity incident any of these entities could materially adversely affect our business and results of operations. For more information on our cybersecurity-related risks, please see “Risks Related to Information Technology and Intellectual Property” in “Part I. Item 1A. Risk Factors” of this annual report on Form 10-K.
37 |
Corporate Governance
Cybersecurity Risks Oversight by the Members of our Board
The Audit Committee has oversight responsibility for risks and incidents relating to cybersecurity threats as a part of its overall risk oversight responsibilities. Such responsibility includes compliance with disclosure requirements, cooperation with law enforcement, and analyzing the related effects on financial and other risks, and it reports any findings and recommendations, as appropriate, to the full board for consideration. The Audit Committee receives annual reports on our cybersecurity risks from management. In addition, management updates the Audit Committee, as necessary, regarding any material cybersecurity incidents, as well as any incidents with lesser impact potential.
Cybersecurity Risks Oversight by our Management
Our management team, including our Head of Information Technology, is responsible for addressing, assessing, and managing our material risks from cybersecurity threats. Our head of Information Technology supervises both our internal cybersecurity personnel and our retained external cybersecurity consultants (when applicable). Our management team’s experience includes demonstrated expertise in cybersecurity, mobile and data devices, and smartphone software. Our management team supervises efforts to prevent, detect, mitigate, and remediate cybersecurity risks and incidents through various means, which may include briefings from internal security personnel; threat intelligence, and other information obtained from governmental, public, or private sources, including external consultants engaged by us; and alerts and reports produced by security tools deployed in the information technology environment.