biote Corp. - (BTMD)
10-K Filing Date: March 15, 2024
Risk management and strategy
We have implemented and maintain policies and processes designed to assess, identify, and manage material risk from cybersecurity threats to our critical computer networks, third party hosted services, communications systems, hardware and software, and our critical data, including intellectual property, confidential information that is proprietary, strategic or competitive in nature, and trade secrets, data we may collect about trial participants in connection with clinical trials, sensitive third-party data, business plans,
55
transactions, and financial information (“Information Systems and Data”). We have integrated these processes into our overall risk management systems and processes. We routinely assess material risks from cybersecurity threats, including any potential unauthorized occurrence on or conducted through our information systems that may result in adverse effects on the confidentiality, integrity, or availability of our information systems or any information residing therein.
The cybersecurity function within the Company, which comprises, in part, our information technology (“IT”) security director (who has several years of commercial experience and a master’s degree of information systems with a focus on cybersecurity) and other members of our technical staff management, along with our legal advisors, risk management team, and overall information security function, helps identify, assess and manage the Company’s cybersecurity threats and risks. Our IT security department, under the direction of our Chief Information Officer (“CIO”) and led by our IT security director, identifies and assesses risks from cybersecurity threats by monitoring cybersecurity and operational risks using various security tools designed to protect against, detect, and respond to cybersecurity threats, and has implemented processes and procedures aligned with our information security management system to support and promote resilient programs. This includes automated tools, security assessment and monitoring; restricted physical access to servers and network equipment, system audits and third party assessments, third-party IT vendor risk management process to assess and manage risk presented by our IT vendors, third party threat assessments, evaluating threats reported to us, and annual review of cybersecurity insurance policies and the associated levels of coverage based on current risks.
Depending on the environment, we implement and maintain various technical, physical, and organizational measures and processes designed to manage and mitigate material risks from cybersecurity threats to our Information Systems and Data, including, for example: incident detection and response, an incident response plan, a vendor risk management program, employee training, data encryption, physical security, dedicated cybersecurity staff, systems monitoring, cyber insurance, and asset management, tracking, and disposal.
We collaborate with third parties to assess the effectiveness of our cybersecurity prevention and response systems and processes. These include cybersecurity assessors, consultants, managed cybersecurity service providers, and other external cybersecurity experts to assist in the identification, verification, and validation of cybersecurity risks, as well as to support associated mitigation plans when necessary. We have also developed a third-party cybersecurity risk management process to conduct due diligence on external entities, including those that perform cybersecurity services.
See our risk factors under Part I, Item 1A Risk Factors in this Form 10-K for additional information regarding cyber-security related risks that could materially affect our business strategy, results of operations, or financial condition.
Governance
Our Board of Directors and Audit Committee are actively engaged in the oversight of our risk management, including cybersecurity risk. The Board of Directors and Audit Committee receive quarterly reports on information security from our CIO. The Audit Committee is responsible for overseeing our risk exposure to information security, cybersecurity, and data protection, as well as the steps management has taken to monitor and control such exposures.
Our IT security department, which assesses and manages our risks from cybersecurity threats, is led by our CIO, who reports to our chief executive officer. We have in place an incident response plan to identify, protect, detect, respond to, and recover from cybersecurity threats and incidents. We also employ various defensive and continuous monitoring techniques using recognized industry frameworks and cybersecurity standards. Our CIO is responsible for hiring appropriate personnel, helping to integrate cybersecurity risk considerations into the Company’s overall risk management strategy, and communicating key priorities to relevant personnel. Our CIO meets with the audit committee periodically to review our information technology systems and discuss key cybersecurity risks. Additionally, we maintain a qualified third-party vendor relationship which is available to the team for on-demand incident response and investigation, as needed.
Our IT security director reports to our CIO and has more than 25 years of experience working in information technology-related roles, holds a Masters in Information Systems, with a focus in cybersecurity and a Masters in Business Administration, with an emphasis in business intelligence and analytics management.