ONE STOP SYSTEMS, INC. - (OSS)

10-K Filing Date: March 21, 2024
ITEM 1C. CYBERSECURITY.

 

Risks related to Cybersecurity Incidents

 

We face significant risks related to cybersecurity threats, which could adversely affect our business, financial condition, and results of operations. Cybersecurity incidents, including but not limited to unauthorized access, data breaches, and other malicious activities, could result in the loss or theft of sensitive information, disruption of our operations, and damage to our reputation. While we have implemented measures to protect our information systems, there can be no assurance that these measures will effectively prevent all cybersecurity incidents.

Specific risks include, but are not limited to:

1.
Data Breaches: A breach of our information systems could lead to unauthorized access to customer or employee data, resulting in reputational harm and legal liabilities.
2.
Operational Disruption: Cybersecurity incidents could disrupt our operations, leading to delays in production, delivery, or fulfillment of customer orders.
3.
Intellectual Property Theft: Unauthorized access to our proprietary information could result in intellectual property theft, impacting our competitive position in the market.
4.
Regulatory and Legal Compliance: Cybersecurity incidents may subject us to regulatory investigations, legal claims, and penalties, affecting our compliance with applicable laws and regulations.
5.
Third-Party Relationships: Our reliance on third-party vendors and service providers exposes us to additional cybersecurity risks, and a security breach affecting these entities could impact our operations.

 

Although, to date, cybersecurity incidents have not materially impacted our business strategy, results of operations, or financial condition, there can be no assurances that they will not do so in the future.

Refer to “Item 1A. Risk factors” in this Annual Report for additional information about cybersecurity-related risks.

Risk Management and Strategy

 

Assessing, Identifying, and Managing Material Cyber Threats

We have in place certain infrastructure, systems, policies, and procedures that are designed to proactively and reactively address circumstances that arise when unexpected events such as a cybersecurity incident occur. These include processes for assessing, identifying, and managing material risks from cybersecurity threats. We consult with external parties, such as cybersecurity firms and risk management and governance experts, on risk management and strategy. We use a team of outside vendors and government services specializing in IT and cybersecurity that provide expertise, tools, and methodologies to identify and assess vulnerabilities and potential threats. Automated tools and

46

 

AI-based user behavior analytics also support identification and management of cyber threats. Response to a broad category of threats is immediate and automatic. Security personnel and members of our management are alerted when cyber threats or anomalies are detected. Persistent threats or issues that, in the opinion of management, are material are immediately brought to the attention of our board of directors.

In the event of a detected cyber incident by 24/7 monitoring software or employee notification, our IT and cybersecurity provider performs a detailed assessment of the incident, identifies the source of the problem, and resolves the issue as appropriate. If they are unable to resolve the issue, the problem is escalated to our cybersecurity monitoring and detection software provider for resolution. Events which are not routinely resolved by our IT and cybersecurity provider are brought to the attention of the board.

In order to mitigate risks of cybersecurity incidents, critical business and operational data are backed up at night and stored offsite for security purposes and to restore data in the event of a breach. Additionally, we provide cybersecurity awareness training of our employees, incident response personnel, and senior management.

 

Governance

Our management team, including our vice president of technology, is primarily responsible for assessing and managing our material risks from cybersecurity threats. Management supervises both our internal cybersecurity and IT personnel, as well as our retained external cybersecurity consultants and vendors. Additionally, they supervise efforts to prevent, detect, mitigate, and remediate cybersecurity risks and incidents through various means, which may include briefing from internal or external security personnel; threat intelligence and other information obtained from governmental, public or private sources, including external consultants or vendors engaged by us; and alerts and reports produced by security tools deployed in our IT environment.

Our board of directors, through its Audit & Risk Committee, provides oversight and oversees management’s processes for identifying and mitigating risks, including cybersecurity risks, to help align our risk exposure with our strategic objectives. Management, including our vice president of technology, and our Audit & Risk Committee members, of which two members of our committee have received training and certifications on cyber risk governance for public companies, regularly brief our board of directors on our cybersecurity and information security posture as well as cybersecurity incidents deemed to have a moderate or higher business impact, even if viewed as immaterial to us. As cyber threats evolve and become more sophisticated, we believe that the board's involvement in cybersecurity governance ensures that we are adequately focused on resources and protecting the Company’s assets and reputation.

Vital aspects of our cybersecurity governance that are currently in process or have been implemented include the following:

Governance and Strategy: Management, the Audit & Risk Committee and the board ensure that our cybersecurity strategy is aligned with our business strategy.
Risk Management and Oversight: Our Audit & Risk Committee and the board, as part of the board’s enterprise risk management oversight, actively oversee our cybersecurity risk management framework, ensuring that material risks are identified, assessed, and mitigated.
Resource Allocation:
o
Budget Approval: The board reviews and approves cybersecurity budgets and resource allocations to ensure we have adequate resources to implement and maintain effective cybersecurity measures.
o
Investment Decisions: The board, based upon recommendation of management or our external vendors and consultants, evaluates and approves significant investments in cybersecurity technologies, training, and talent.
Compliance and Legal Obligations:
o
Regulatory Compliance: Management and the board both play a role in overseeing compliance with relevant cybersecurity regulations and legal requirements.
o
Legal Oversight: Management and the board ensure we have appropriate legal counsel to address cybersecurity-related issues, including breach notification requirements.
Education and Awareness:

47

 

o
Training and Awareness: Members of management and members of our board take reasonable steps to stay informed about cybersecurity trends, threats, and best practices through ongoing education and training. Management reviews Company employee training programs to ensure employees are being trained appropriately and kept up to date on evolving cyber trends.
o
Board Training: Certain of our board members have received training to understand cybersecurity risks and their role in overseeing cybersecurity.
Reporting and Communication:
o
Periodic Updates: The board receives periodic updates from management, responsible staff and the Audit & Risk Committee regarding the Company’s cybersecurity posture, incidents, and risk management efforts.
o
Communication Strategy: Management, together with the board, are in the process of establishing a communication strategy for addressing cybersecurity disclosures with stakeholders, including customers, employees, and the public.
Performance Evaluation: Included in the board’s annual evaluation of the performance of the Company’s chief executive officer is the effectiveness of implementing cybersecurity policy and measures, ensuring that cybersecurity policies and practices are effective and aligned with organizational goals.
Cybersecurity Culture: The board fosters a cybersecurity-aware culture throughout the organization, supporting management’s efforts to build risk management including cyber into the fabric of the operating culture.

Despite these efforts, the rapidly evolving nature of cybersecurity threats requires ongoing vigilance, and there can be no assurance that our efforts will prevent all incidents.

In addition to the foregoing, management and the board are evaluating, and intend to implement, further cybersecurity related measures, including without limitation developing a more robust internal policy framework, incident response plan, crisis management planning, and third-party vendor assessments and contractual obligations for third parties that the Company engages with. The Company intends to progress these efforts throughout 2024.

 

Back SEC Filing