VirnetX Holding Corp - (VHC)
10-K Filing Date: March 15, 2024
Cybersecurity
Cybercriminals, hackers, and threat-actors are becoming more sophisticated and effective every day. To mitigate threats to our business, we take a comprehensive approach to cybersecurity risk management and make securing the data that our customers and other stakeholders entrust to us a top priority. We are committeed to safeguarding the confidentiality, integrity, and availability of all physical and electronic information assets to ensure that regulatory, operational, and contractual requirements are fulfilled. Our board of directors (the “Board”) and our management are actively involved in the oversight of our risk management program, of which cybersecurity represents an important component. As described in more detail below, we have established policies, processes and practices for assessing, identifying, and managing material risks from cybersecurity threats. We have devoted significant resources to implement and maintain security measures to meet regulatory requirements and customer expectations, and we intend to continue to make significant investments to maintain the security of our data and cybersecurity infrastructure. Notwithstanding the extensive approach we take to cybersecurity, we may not be successful in preventing or mitigating a cybersecurity incident that could have a material adverse effect on us. While we have technology and processes in place to detect and respond to cybersecurity threats, we are continually at risk from the evolving cybersecurity threat landscape. We have not previously experienced a cybersecurity event that was determined to be material, and our business strategy, results of operations and financial condition have not been materially affected by risks from cybersecurity threats. For additional information regarding risks from cybersecurity threats, please refer to Item 1A, “Risk Factors,” in this Annual Report on Form 10-K.
Risk Management and Strategy
We have developed detailed policies, processes and practices for assessing, identifying, and managing material risks from cybersecurity threats as a part of our overall risk management program and are based on frameworks established by the National Institute of Standards and Technology (“NIST”), and other applicable industry standards. This does not imply that we meet any particular technical standards, specifications or requirements, however, we do use these frameworks as a guide to help us identify, assess, and manage cybersecurity risks relevant to our business. Our cybersecurity program in particular focuses on the following key areas:
Collaboration
Our cybersecurity risks are identified and addressed through a comprehensive, cross-functional approach. Key security, risk, and compliance stakeholders meet regularly to develop strategies for preserving the confidentiality, integrity and availability of our own and our customer’s information, identifying, preventing and mitigating cybersecurity threats, and effectively responding to cybersecurity incidents. We maintain controls and procedures that are designed to ensure prompt escalation of certain cybersecurity incidents so that decisions regarding such incidents can be made by management, the Board, and legal counsel in a timely manner.
Risk Assessment
We conduct cybersecurity risk assessments annually, quarterly and upon certain triggering events. Such risk assessments take into account information from internal stakeholders, known information security vulnerabilities, and information from external sources (e.g., reported security incidents that have impacted other companies, industry trends, and recommendations from our IT vendors). The results of the assessment are used to drive alignment on, and prioritization of, initiatives to enhance our security controls, make recommendations to improve processes, and inform a broader enterprise-level risk assessment that is presented to our Board and members of senior management.
Technical Safeguards
We regularly assess and deploy technical safeguards designed to protect our information systems and infrastructure from cybersecurity threats. Such safeguards are regularly evaluated and improved based on vulnerability assessments, cybersecurity threat intelligence and incident response experience.
Incident Response and Recovery Planning
We have established comprehensive incident response and management plans and continue to regularly test and evaluate the effectiveness of those plans. Our incident response and management plans address — and guide our employees, management, and Board on — our response to a cybersecurity incident. In the event of an incident, we intend to follow our incident response playbook, which outlines the steps to be followed from incident detection to mitigation, recovery and notification, including notifying functional areas (e.g., legal), as well as the Board and senior management, as appropriate.
Third-Party Risk Management
We have implemented controls designed to identify and mitigate cybersecurity threats associated with our use of third-party service providers. Such providers are subject to security risk assessments at the time of onboarding, contract renewal, and upon detection of an increase in risk profile. We use a variety of inputs in such risk assessments, including information supplied by providers and third parties. In addition, we encourage our providers to meet appropriate security procedures, controls and responsibilities and investigate security incidents that have impacted our third-party providers, as appropriate.
Education and Awareness
Our policies require each of our employees to contribute to our cybersecurity efforts. We regularly remind employees of the importance of handling and protecting customer and employee data, including through privacy and security trainings to enhance employee awareness of how to detect and report cybersecurity threats and cybersecurity incidents.
Governance
Board Oversight
The Nominating and Corporate Governance Committee (the “Committee”) and senior management oversee our cybersecurity risk processes and policies. The Committee receives regular reports from senior management about the prevention, detection, mitigation, and remediation of cybersecurity incidents, including security risks and information security vulnerabilities. The Committee also ensures that procedures for safeguarding the Company’s information technology (“IT”) systems are documented and implemented, monitors the effectiveness of the Company’s cybersecurity program for protecting against internal and external threats as well as disaster recovery and disruption mitigation, and addresses deficiencies as the threat and business landscape continues to evolve. The Board receives regular updates from the Committee based on such oversight and communications with senior management regarding cybersecurity risk resulting from risk and control maturity assessments, progress of risk reduction initiatives, external auditor feedback and relevant internal and industry cybersecurity incidents.
Our Board has technical and industry expertise in risk management, computer security and information technology matters. Specifically, the chairperson of the Committee has 39 years of experience in the cybersecurity field, is a former sub-chairman of the NIST Board of Assessment for Programs/National Research Council and holds CISSP and CRISC certifications.
Management’s Role
Our chief technology officer (“CTO”), Director of IT (Information Technology), Director of SecDevOps (Security, Development Operations) (collectively, the “Security Team”) have primary responsibility for assessing and managing cybersecurity risks. The Security Team reviews security performance metrics, identifies security risks, and assesses the status of approved security enhancements. The Security Team also considers and makes recommendations on security policies and procedures, security service requirements, and risk mitigation strategies.
Our CTO has served in various roles in information technology and information security for over 30 years, He holds a PhD in Information Technology and has been with VirnetX since 2007. Our Director of IT has served in various roles in information technology for 29 years. He holds degree in Computer Technology. Our SecDevOps Director has served in various roles in information technology and information security for over 33 years.