Tivic Health Systems, Inc. - (TIVC)

10-K Filing Date: March 25, 2024
Item 1C – Cybersecurity

Risk management and strategy

Due to the size of our company, we have not yet developed robust policies and processes for assessing, identifying, and managing material risk from cybersecurity threats. We have implemented access controls with respect to our systems, which we monitor regularly and audit annually. We currently rely heavily on products and services provided by third-party suppliers to operate certain critical business systems, including without limitation, cloud-based infrastructure, encryption and authentication technology, email, and other functions. We rely on third party providers and outsourced IT services to monitor and address cybersecurity related risks, including installing software for threat protection and malware. Such third party providers are tasked with notifying management of any material risks or cybersecurity concerns that they identify, which management then assesses and may bring to our board of directors to discuss if deemed necessary or appropriate. Based on the results of our risk assessments, if deemed necessary or appropriate, we take steps to re-design, implement, and maintain reasonable safeguards to minimize identified risks; reasonably address any identified gaps in existing safeguards; and regularly monitor the effectiveness of our safeguards.

 

We intend to work with outside counsel and third party service providers in the near term to further develop our expertise, processes and procedures with respect to cybersecurity protection and our response plan.

 

To date, we have not (to our knowledge) encountered cybersecurity challenges that have materially impaired our operations or financial standing. For additional information regarding risks from cybersecurity threats, please refer to Item 1A, “Risk Factors,” in this Report.

39


 

Governance

 

Our management team is primarily responsible for assessing and managing our strategic risk exposures, including material risks from cybersecurity threats, with assistance from third-party service providers. Management oversees our cybersecurity process on a day-to-day basis, including those described in “Risk Management and Strategy” above.

Our audit and risk committee is tasked with general oversight of our risk management process, including risks from cybersecurity threats. Members of management provide periodic briefings to the audit and risk committee of our board of directors regarding our cybersecurity risks and activities, including any recent cybersecurity incidents and related responses, cybersecurity systems testing, activities of third parties, and the like. In furtherance thereof, the committee is responsible for monitoring and assessing strategic risk exposure. Our audit and risk committee provides regular updates to the board of directors on such reports.