ITEM 1.C. CYBERSECURITY

 

We are increasingly dependent on information technology systems and infrastructure to operate our business. In the ordinary course of our business, we collect, store, process, and transmit sensitive corporate, personal, and other information, including intellectual property, proprietary business information, customer data including PII, and other confidential information. It is critical that we do so in a secure manner to maintain the confidentiality, integrity, and availability of such information.

 

Risk Management and Strategy

 

We maintain a cybersecurity risk management program designed to identify, assess, manage, mitigate, and respond to cybersecurity threats. This program is integrated within our enterprise risk management system and addresses the corporate information technology environment, the data we collect through our products and retain in the TRUST registry and Asensus Cloud, and customer information.

 

The underlying controls of the cybersecurity risk management program are based on recognized best practices and standards for cybersecurity and information technology, including the National Institute of Standards and Technology, or NIST, Cybersecurity Framework, or CSF, and the International Organization Standardization, or ISO, 27001 Information Security Management System Requirements. We have an annual assessment, performed by a third party, of the Company’s cyber risk management program against the NIST CSF.

 

We monitor our global cybersecurity environment constantly and coordinate the investigation and remediation of any alerts. We have developed a program for incident response, including drills, to prepare support teams in the event of a significant incident. We have engaged third-party consultants to assist us with designing controls and our cybersecurity risk management framework, and to perform penetration testing. We also retain third parties to assist us with the monitoring and detection of cybersecurity threats and responding to any cybersecurity threats or incidents.

 

With respect to third parties that manage or use our information technology or data, we obtain reports to assess the security of their systems and processes. We engage in ongoing monitoring of all third-party providers to ensure compliance with our cybersecurity standards.

 

We have not encountered cybersecurity threats or incidents that have had a material impact on our business. We face risks from cybersecurity threats that could have a material adverse effect on our business, financial condition, results of operations, cash flows or reputation. See “RISK FACTORS – Risks Related to the Operation of our Business – Significant disruptions of our information technology systems or data security incidents could harm our reputation, cause us to modify our business practices, and otherwise adversely affect our business and subject us to liability.”

 

 

Our Manager of Data and Information Technology and Vice President of Customer Excellence, with consultation and collaboration with senior management lead our cybersecurity efforts. The cybersecurity team is responsible for assessing and managing our cyber risk management program, informing executive management regarding the prevention, detection, mitigation, and remediation of cybersecurity incidents and supervises such efforts. The cybersecurity team has experience selecting, deploying, and operating cybersecurity technologies, initiatives, and processes, and relies on threat intelligence as well as other information obtained from governmental, public or private sources, including external consultants engaged by us.

 

Governance

 

The Corporate Governance and Nominating Committee of the Board of Directors oversees our cybersecurity risk exposures and the steps taken by management to monitor and mitigate cybersecurity risks. The cybersecurity team briefs the Corporate Governance and Nominating Committee on the effectiveness of our cyber risk management program on a regular basis. We believe locating this oversight function in the Corporate Governance and Nominating Committee is appropriate given that the reach of our cybersecurity risk monitoring programs are not limited to financial programs or functions. In addition, cybersecurity risks are reviewed by our Board of Directors, at least annually.