Augmedix, Inc. - (AUGX)

10-K Filing Date: March 26, 2024
ITEM 1C. CYBERSECURITY
Managing cybersecurity risks is an important component of the Company’s approach to enterprise risk management. Our enterprise risk management approach generally, and our cybersecurity practices in particular, are based upon industry standards and implemented using managed security applications. We generally approach cybersecurity threats through a cross-functional approach which endeavors to: (i) prevent and mitigate cybersecurity threats to the Company; (ii) maintain the confidence of our customers, clients and business partners; (iii) preserve the confidentiality of our employee’s and customer’s information; and (iv) protect our intellectual property.
Risk Management and Strategy
Our cybersecurity program focuses on the following areas:
Vigilance – We maintain 24/7 cybersecurity threat operations in order to rapidly detect, contain and respond to cybersecurity threats and incidents.
Systems Safeguards – We deploy technical safeguards that are designed to protect our information systems from cybersecurity threats. These safeguards include firewalls, intrusion prevention and detection systems, endpoint detection and response software that includes anti-virus and anti-malware functionality, data loss prevention mechanisms, access controls and ongoing vulnerability assessments and penetration testing.
Third-Party Management – We screen vendors, service providers and other third parties that may gain access to our systems based on their expertise, reliability, reputation and industry credentials, and have implemented measures to further enable us to identify and oversee cybersecurity risks presented to users of our systems. The screening includes conducting sanctions and exclusions checks and security risk assessments.
Education – We provide training at hire and annually thereafter for personnel regarding cybersecurity threats, which reinforces our information security policies, standards and practices.
Incident Response Planning – We have established and continue to maintain an incident response plan that addresses our response to a cybersecurity incident. We conduct annual testing of our incident response plan to measure effectiveness to improve our plan.
Communication and Coordination – We utilize a cross-functional approach to address the risk from cybersecurity threats, involving management personnel from the technology, operations, legal, risk management and other key business functions (the “Cybersecurity Oversight Team”), as well as including our board of directors in an ongoing dialogue regarding cybersecurity threats and incidents.
44

Table of Contents
Governance – Our board of directors’ oversight of cybersecurity risk management is supported by our Compliance and Risk Management Committee, which includes our Chief Executive Officer, Chief Financial Officer, and Chief Operating Officer and interacts directly with, and is provided relevant information by, our Cybersecurity Oversight Team.
We evaluate the effectiveness of our cybersecurity threat risk management through the assessment and testing of our processes and practices. We regularly conduct vulnerability scans and penetration testing both internally and using third party vendors. We also engage consultants, auditors and other third parties to perform assessments on our cybersecurity measures on an annual basis. The assessments include information security maturity evaluations, independent environmental security control reviews, and operating effectiveness. We make adjustments to our cybersecurity processes and practices as necessary based on the information provided by the third-party assessments and reviews. We have been assessed and obtained a HITRUST r2 certification of our production environment.
Governance
Our board of directors as a whole is responsible for overseeing the management of risks pertaining to cybersecurity threats. Our information technology team oversees the day-to-day management of our cybersecurity program with regular reporting to representatives of our Cybersecurity Oversight Team. Our Cybersecurity Oversight Team has overall responsibility of our cybersecurity risk management program and procedures and reports regularly to the Audit Committee of our board of directors on cybersecurity matters. From a governance perspective, the Audit Committee as well as our Compliance and Risk Management Committee are provided with updates from the Cybersecurity Oversight Team regarding incidents as well as the policies, standards, processes and practices that the Company implements to address risks from cybersecurity threats. Additionally, to the extent we identify any cybersecurity incident that could pose a significant risk to the Company, our board of directors will receive prompt and timely information regarding the incident and ongoing updates until such incidents have been addressed.
The Cybersecurity Oversight Team, along with internal security stakeholders, are the team members principally responsible for overseeing and implementing our cybersecurity risk management program. Our Cybersecurity Oversight Team members each possess at least 5 years of cybersecurity experience, with strong educational qualifications including post-secondary education, industry certifications and other relevant developmental training. We believe this collective experience allows us to effectively manage risks emerging from cybersecurity threats.
The Cybersecurity Oversight Team works collaboratively across the Company to implement customized programs designed to protect and respond to cybersecurity threats and to promptly respond to any cybersecurity incidents. To facilitate the success of this program, multi-disciplinary teams throughout the Company are deployed to address cybersecurity threats and to respond to cybersecurity incidents in accordance with our incident response plan. Chief concerns are reported to our Compliance and Risk Management Committee when appropriate.
To date we have not experienced any cybersecurity incident that has materially affected our business, results of operation, or financial condition. We have also not identified any risks from cybersecurity threats, including as a result of any previous cybersecurity incidents, that have materially affected the Company, or are reasonably likely to materially affect the Company, including its business strategy, results of operations, or financial condition. Although we have adopted various processes and preventative measures with the objective of preventing breaches and minimizing the risks from cybersecurity matters, given the nature of cybersecurity threats which are constantly evolving over time, there is no guarantee that the Company, including its business strategy, results of operations or financial condition, will not be adversely affected by such threats or that our preventative measures and processes will be effective. For further discussion of the Company’s risk related to cybersecurity, see the risk factors “Our business and reputation may be impacted by IT system failures or other disruptions” and “If our products experience data security breaches, and there is unauthorized access to our customers’ data, we may lose current or future customers, our reputation and business may be harmed and we may incur significant liabilities” in Part I, Item 1A of this Form 10-K.

45

Table of Contents