Calidi Biotherapeutics, Inc. - (CLDI)

10-K Filing Date: March 15, 2024
ITEM 1C. Cybersecurity

 

Cybersecurity Risk Management and Strategy

 

In our business operations, we use information technology, enterprise applications, communications tools, cloud network solutions, and related systems to manage our operations, including to manage our building systems, vendor relationships, accounting and recordkeeping, and communications, among other aspects of our business.

 

We have developed and implemented a cybersecurity risk management program intended to protect our confidential and proprietary data, and information technology and systems, from cybersecurity threats, including unauthorized access or attack. We leverage the SOC 2 TYPE II Cybersecurity Framework as a guide to help us identify, assess, and manage cybersecurity risks relevant to the business. This does not imply that we meet any particular technical standards, specifications, or requirements.

 

Our processes for assessing, identifying, and managing risks from cybersecurity threats, including operational risks, financial reporting risks, reputational risks, personal data theft, fraud, and other potential risks, are integrated into our overall enterprise risk management process, and share common methodologies, reporting channels, and governance processes that apply across the enterprise risk management process to other legal, compliance, strategic, operational, and financial risk areas.

 

Our cybersecurity risk management program includes the following:

 

  a multidisciplinary team comprised of personnel from information technology (“IT”), internal audit, accounting, and legal, as well as third-party cybersecurity experts principally responsible for directing (i) our cybersecurity risk assessment processes, (ii) our security processes, and (iii) our response to cybersecurity incidents, and a third-party security operations center.

 

93
 

 

  risk assessments designed to help identify material cybersecurity risks to our critical systems, information, services, and our broader enterprise IT environment.

 

  internal and third-party security tools to monitor our systems, identify cybersecurity risks, and test our IT environment.

 

  the use of third-party cybersecurity experts, where appropriate, to assess, test or otherwise assist with aspects of our security processes.

 

  a cybersecurity incident response plan and business continuity plan.

 

  cybersecurity training for employees and key business partners with access to our systems.

 

  a third-party cybersecurity risk management process for service providers and vendors who access our systems.

 

  requiring employees, as well as third parties who have access to our systems, to treat confidential and private information and data with care, including performing controls relating to such data; and

 

  cybersecurity risk insurance.

 

We also seek to engage reputable service providers that maintain cybersecurity programs or controls.

 

We have not identified risks from known cybersecurity threats within the prior fiscal year, including as a result of any prior cybersecurity incident, that have materially affected or are reasonably likely to materially affect us, including our business strategy, results of operations, or financial condition. Please refer to “Item 1A, Risk Factors” in this report for additional information about certain ongoing risks related to our information technology that, if realized, are reasonably likely to materially affect us, including our operations, business strategy, results of operations, or financial condition.

 

Cybersecurity Governance

 

Cybersecurity is an important part of our overall risk management processes and an area of focus for our Board of Directors and management.

 

The Board, in coordination with the Audit Committee, oversees the Company’s enterprise risk management process, including the management of material risks arising from cybersecurity threats. The Audit Committee regularly receives updates from management and third-party cybersecurity experts about major cybersecurity risks, their potential impact on our business operations, and management’s processes to identify, monitor, and mitigate such risks, including, as relevant, the results of assessments or audits of our processes. The Audit Committee periodically provides updates on these matters to the Board of Directors.

 

Our enterprise risk team consists of cross-functional professionals who collaborate with subject matter specialists, as necessary, including an independent third-party expert we have retained to identify and assess material risks from cybersecurity threats, their severity, and potential mitigation steps. The CISO is primarily responsible for leading our cybersecurity risk assessment and management processes. Our Chief Business Officer, Stephen Thesing, currently serves as our CISO. Prior to Calidi his work experience was in the arena of Healthcare Information Technology, Software and Services, and his early career was in Enterprise Systems, Data Storage, and the secure management and restoration of data in high-availability installations for mission-critical clients, including Blue Cross-Blue Shield organizations and the US Government. Mr. Thesing received a Bachelor of Science in Business, Information Systems, and Marketing from California Polytechnic University, San Luis Obispo. He is supported by external IT and internal audit personnel who regularly review and assess cybersecurity initiatives, including our incident response plan, as well as cybersecurity compliance, training, and risk management efforts.