Apyx Medical Corp - (APYX)

10-K Filing Date: March 21, 2024
Item 1C. Cybersecurity

The Company’s information security program is designed to preserve the accuracy and integrity of all forms of information processed by us and to protect such information, including our employees’, customers’ and end users’ personally identifiable information and information related to our operations, from misuse, loss, or theft. Our information security program is founded on principles and standards of the National Institute of Standards and Technology Framework for Improving Critical Infrastructure Cybersecurity issued by the U.S. government.

The outsourced Chief Information Security Officer (“CISO”) works closely with the Chief Financial Officer to collectively manage our global information security, information technology and data privacy programs. The Company’s information security program includes a robust set of controls and safeguards for the systems, applications, and databases of the Company and of its third-party vendors. The CISO manages the information security program and sets annual targets and security objectives. The program includes regular risk assessments and recurring internal and external audits to assess the program’s maturity and effectiveness. The results of these assessments and audits help inform decisions to make program adjustments and ensure that the program’s security objectives are effective and up to date. Additional features of our cybersecurity program include security controls, such as firewalls and intrusion detection systems; data loss prevention tools; penetration testing of network, cloud, and application platforms; security assessments of our third-party vendors; and security awareness education for our employees and specialized training for our information security specialists.

We have implemented security monitoring capabilities, designed to alert us to suspicious activity and have developed an incident response program that includes periodic coordinated response exercises designed to restore business operations as quickly and as orderly as possible in the event of a breach. In the event of cyber incident which may be considered “material” under the SEC’s disclosure rules, Apyx Medical has established a separate committee comprised of the CISO, Chief Financial Officer, Outside Counsel, Chief Executive Officer, and Department Heads, if necessary. This committee is responsible for determining whether a cyber incident, or series of incidents, is “material” and requires disclosure under Item 1.05 of Form 8-K as well as informing the Board of Directors about the incident from a risk oversight perspective.

The Board of Directors oversees risks relating to cybersecurity. The CISO and CFO present to the Board of Directors on a quarterly basis and the results of the risk assessments and audits on at least an annual basis. These reports also include detailed updates on the Company’s performance preparing for, preventing, detecting, responding to, and recovering from cyber incidents. Apyx outsources the majority of our IT services and security to a well-respected company in the industry.

Failure of our information security program to prevent or detect a cyber incident could result in the compromise of Company and customer information, reputational damage, and/or financial loss. During the periods covered by this report, we did not experience any material cyber incidents and the expenses we incurred from cyber incidents were immaterial. While prior incidents have not had a material impact on us, future incidents could have a material adverse effect on our business, results of operations and cash flows. For additional information about our cybersecurity risks, see Item 1A — Risk Factors on this Annual Report on Form 10-K.



23

APYX MEDICAL CORPORATION