NEPHROS INC - (NEPH)

10-K Filing Date: March 15, 2024
Item 1C. Cybersecurity

 

Risk Management and Strategy

 

We have implemented cybersecurity processes, technologies, and controls to aid in our efforts to assess, identify, and manage cybersecurity risks. Our enterprise risk management framework considers cybersecurity risk alongside other company risks as part of our overall risk assessment process.

 

Our cybersecurity risk management program is integrated into our overall enterprise risk management program and shares common methodologies, reporting channels, and governance processes that apply across the enterprise risk management program to other legal, compliance, strategic, operational, and financial risk areas.

 

Our cybersecurity risk management program includes:

 

  risk assessments designed to help identify material cybersecurity risks to our critical systems, information, products, services, and our broader enterprise information technology (“IT”) environment;
     
  an outsourced security team principally responsible for managing (1) our cybersecurity risk assessment processes, (2) our security controls, and (3) our response to cybersecurity incidents;
     
  the use of external service providers, where appropriate, to assess, test, or otherwise assist with aspects of our security controls;
     
  cybersecurity awareness training for our employees, incident response personnel, and senior management. This includes mandatory computer-based training, internal communications, and regular phishing awareness campaigns that are designed to emulate real-world contemporary threats and provide immediate feedback (and, if necessary, additional training or remedial action) to employees.

 

In addition to the processes, technologies, and controls that we have in place to reduce the likelihood of a material cybersecurity incident (or series of related cybersecurity incidents), our outsourced security team has a written incident response plan outlining how to address cybersecurity events that occur. We have assigned a team comprised of finance and technology personnel to review the plan annually to serve as a framework for the execution of responsibilities across businesses and operational roles. The incident response plan is designed to help us coordinate actions to prepare for, detect, respond to and recover from cybersecurity incidents, and includes processes to triage, assess severity, escalate, contain, investigate, and remediate the incident, as well as to assess the need for disclosure, comply with applicable legal obligations and mitigate the impact to our brand and reputation and on impacted parties.

 

In addition to the cybersecurity incident response plan, our outsourced team conducts tabletop exercises to enhance our incident response preparedness. They also have processes to oversee and identify material risks from cybersecurity threats associated with our use of third-party service providers. Such processes include conducting due diligence and risk assessment of our current and potential vendors that examine such vendor’s cybersecurity protocols and adherence to applicable regulations.

 

We also maintain business continuity and disaster recovery plans to prepare for and respond to the potential for any disruption in the technology we rely on. Additionally, we maintain insurance coverage that, subject to its terms and conditions, is intended to help us cover certain costs associated with cybersecurity incidents and information system failures.

 

We (or the third parties we rely on) may not be able to fully, continuously, or effectively implement security controls as intended. As described above, we utilize a risk-based approach and judgment to determine whether and how to implement certain security controls and it is possible that we may not implement the necessary controls if we are unable to recognize or underestimate a particular risk. In addition, security controls, no matter how well designed or implemented, may only mitigate and not fully eliminate cybersecurity risks. Cybersecurity events, when detected by security tools or third parties, may not always be identified immediately or addressed in the manner intended by our cybersecurity incident response plan.

 

22
 

 

Governance

 

Based on the information available as of the date of this Annual Report, we have no reason to believe any risks from cybersecurity threats, including as a result of any previous cybersecurity incidents, have materially affected or are reasonably likely to materially affect us, including our business strategy, results of operations or financial condition. For additional information, see “Risks Related to Cybersecurity, Data Privacy and IT Systems,” in Item 1A, “Risk Factors” in this Annual Report on Form 10-K.

 

Given that cybersecurity risks can impact various areas of responsibility of the Committees of the Board, as well as the overall size of the Board, the Board believes it is useful and effective for the entire Board to maintain direct oversight over cybersecurity matters. We have implemented processes that will include regular updates to the Board from our Chief Executive Officer and Chief Financial Officer for its review and feedback regarding cybersecurity governance processes, the status of projects to strengthen internal cybersecurity, results from third-party assessments, and also discusses any significant cyber incidents, including recent incidents at other companies and the emerging threat landscape.

 

Our cybersecurity risk management strategy processes, discussed in greater detailed above, are led by our Chief Financial Officer, in conjunction with our outsourced security team, under the supervision of our Chief Executive Officer. Our Chief Financial Officer has over 5 years of prior work experience in various roles involving supervising the implementation of various information technology systems. These individuals are informed about and monitor the prevention, mitigation, detection and remediation of cybersecurity incidents through their management of, and participation in, the cybersecurity risk management and strategy processes described above, including their roles in our overall enterprise risk management. As discussed above, our Chief Executive Officer and Chief Financial Officer regularly report to the Board about cybersecurity threat risks, among other cybersecurity related matters.