HARROW, INC. - (HROW)

10-K Filing Date: March 19, 2024
ITEM 1C. CYBERSECURITY

 

We are subject to cybersecurity threats that could have a material adverse impact on our results of operations, financial condition and cash flows, as well as our operations—including our manufacturing and marketing capabilities. We operate a risk-based cybersecurity program which is designed to: (i) ensure the security, confidentiality, integrity and availability of our information and systems; (ii) protect against anticipated or actual cyber threats to our information and systems; and (iii) protect against unauthorized access and/or use of our information and systems. Overall cybersecurity risk reporting is integrated with our enterprise risk management program, is included in discussions with the Audit Committee of our board of directors and disclosed where appropriate. Our information technology and cybersecurity function is headed by our Chief Executive Officer (“CEO”), and Director of Information Technology, who are responsible for managerial oversight of our cybersecurity program. Our Director of Information Technology reports directly to the Chief Executive Officer of ImprimisRx and Chief Commercial Officer, who reports directly to our CEO.

 

We utilize a layered approach in assessing, identifying, evaluating and managing material risks from cybersecurity threats, and leverage outside partners to gain intelligence on threats. We take input from industry activities, third party assessments and internal simulations and continuously adjust our protection mechanisms to be effective. We also assess operational and data security risks associated with our use of third-party service providers, understanding where failure points may exist within our supply chain operations and data protections. If we learn of a cybersecurity incident at a third-party service provider, our information technology department will maintain communication with that third-party service provider and communicate any cybersecurity incidents to the Director of Information Technology and CEO. All Harrow employees receive information security training (including data protection and fraud awareness) on an annual basis, and we use industry standard technology to monitor systems for anomalous behavior. We also require employees in certain roles to complete additional role-based, specialized cybersecurity trainings. In the event an incident were to occur, a Security Incident Response Team would be convened that consists of members from many functions, including legal counsel, the Director of Information Technology and the CEO.

 

Our Board of Directors has the ultimate oversight of the Company’s risks—including cybersecurity risks—with our Audit Committee assisting the Board of Directors in its oversight of cyber and information security risks. Members of management that possess information security certifications and many years of experience work with our legal, finance and corporate governance functions to identify, define and report cybersecurity risks, policies and procedures and incident response plans. The Audit Committee receives updates on our cybersecurity program from management on a regular basis and more frequently as determined to be necessary or advisable. Updates to the Audit Committee include policies, processes, procedures and any significant developments related to the identification, mitigation and remediation of cybersecurity risks, as well as effectiveness and changes in our ability to monitor, protect, detect and respond to incidents, risk reviews and industry news briefings. The Audit Committee also ensures that management provides a cyber and information security update to the Board of Directors at least annually. Finally, in the event a material cybersecurity incident were to occur, the CEO and Director of Information Technology would brief the Audit Committee which would then be responsible for assessing the materiality of the incident and making the determination of materiality and any related disclosure.

 

51

 

 

We face a number of cybersecurity risks in connection with our business. Although we have numerous controls to protect against common attacks, some attacks may still be effective. Our controls are designed to detect, triage and eradicate these attacks. While we carry a cyber insurance policy to help cover investigation and mitigation expenses, it may be subject to limitations and be insufficient to cover all expenses that may result from a cybersecurity incident. Although the risks from cybersecurity threats, including as a result of any previous cybersecurity incidents, have not materially affected or are reasonably likely to materially affect us, including our business strategy, results of operations or financial condition, such incidents could have a material adverse effect in the future as cyberattacks continue to increase in frequency and sophistication.

 

For more information about the cybersecurity risks and other information technology and data privacy risks we face, see Item 1A. Risk Factors and the subsection titled A breakdown of our information technology systems, or a cyberattack or information security breach could significantly compromise the confidentiality, integrity and availability of our information technology systems, network-connected control systems and/or our data, interrupt the operation of our business and/or affect our reputation.