Biofrontera Inc. - (BFRI)

10-K Filing Date: March 15, 2024
Item 1C. Cybersecurity

 

Risk Management and Strategy

 

We have developed and implemented a cybersecurity risk management program intended to protect the confidentiality, integrity, and availability of our critical systems and information. Our cybersecurity program is based on the National Institute of Standards and Technology Cybersecurity Framework (NIST CSF). This does not imply that we meet any particular technical standards, specifications, or requirements, but rather that we use the NIST CSF as a guide to help us identify, assess, and manage cybersecurity risks relevant to our business.

 

Key elements of our cybersecurity risk management program include:

 

risk assessments designed to help identify material cybersecurity risks to our critical systems, information, and our broader enterprise information technology environment;
leveraging our external service providers, where appropriate, to assess, test, monitor or otherwise assist with aspects of our security controls;
training and awareness programs for employees to drive adoption and awareness of cybersecurity processes and controls;
a cybersecurity incident response plan that includes procedures for responding to cybersecurity incidents.

 

In the last two fiscal years, the Company has not experienced any material cybersecurity incidents, and expenses incurred from cybersecurity incidents were immaterial. For a discussion of whether and how any risks from cybersecurity threats are reasonably likely to materially affect us, including our business, results of operations or financial condition, refer to Item 1A. Risk Factors - “Our business and operations would suffer in the event of system failures or, cyber-attacks or a deficiency in our cyber-security,” which is incorporated by reference into this Item 1C.

 

Governance (Role of Management/Role of the Board)

 

Our cybersecurity program and function is overseen by the Director of Information Technology (“Director of IT”), who has over 15 years of experience leading information technology divisions in various industries. The Director of IT collaborates with all business units to identify and assess cybersecurity risks and compliance with company policy. The Director of IT stays aware of emerging threats and trends in cybersecurity through attendance at cyber security conferences, subscription to the CISA.gov mailing list, various tech focused news outlets, and other sources.

 

The Audit Committee is responsible for the oversight of risks associated with cybersecurity threats. The Audit Committee charter provides that the Committee is responsible for considering the effectiveness of the Company’s internal control system, including information technology security and control. The Director of IT reports significant cybersecurity events to our Vice President of Administration or Chief Financial Officer, who then reports such events to our Audit Committee.