Anika Therapeutics, Inc. - (ANIK)
10-K Filing Date: March 15, 2024
Cyber Risk Management and Strategy
We rely on information technology and data to operate our business and develop, market, and deliver our products to our customers. We have implemented and maintain various information security processes designed to identify, assess and manage material risks from cybersecurity threats to critical computer networks, third party hosted services, communications systems, hardware, manufacturing equipment and processes, lab equipment, software, and our critical data including confidential, personal, proprietary, financial and sensitive data. Accordingly, we maintain certain risk assessment processes intended to identify risks from cybersecurity threats, determine their likelihood of occurring, and assess potential material impact to our business.
We use a layered approach designed to mitigate the constantly evolving risks from cybersecurity threats by investing in people, processes, and cybersecurity technologies. Our approach is informed by recognized industry standards and frameworks, and incorporates elements of the same, including elements of the National Institute of Standards and Technology Cybersecurity Framework, or NIST CSF, and the Center for Internet Security, or CIS, critical security controls.
Our cybersecurity risk management program leverages trusted technology partners and solutions in an effort to identify and track key cybersecurity risks. This program includes period security assessments conducted in collaboration with our key stakeholders, penetration testing and vulnerability assessments, and a mandatory cybersecurity training program for employees. To manage cybersecurity incidents, our global security operations team maintains a cybersecurity incident response plan, conducts readiness exercises, and takes steps to improve the program, as appropriate, to manage the changing threats faced in our industry.
As part of our cybersecurity risk management program, we take a risk-based approach to the evaluation of third-party vendors. We apply mitigations and processes based on our evaluation of the criticality of the vendor and the sensitivity of the data the vendor accesses. Our current vendor evaluation procedures include, as appropriate, an assessment prior to onboarding and implementation of cybersecurity-specific contract provisions. We are in the process of expanding and maturing these vendor risk management procedures.
We, like other companies in our industry, face a number of cybersecurity risks in connection with our business. Risks from cybersecurity threats have, to date, not materially affected, and we do not believe they are reasonably likely to materially affect, us, our business strategy, results of operations or financial condition; however, from time to time, we have experienced threats and security incidents relating to our and our third party vendors’ information systems. For additional information, please see the section captioned “Part I. Item 1A. Risk Factors” in this Annual Report on Form 10-K.
Governance Related to Cybersecurity Risks
Our Vice President of Information Technology, or VP of IT, is responsible for the direction of our information technology organization. Our VP of IT has over twenty-five years of cybersecurity and incident management experience. Our VP of IT is supported by a third-party virtual chief information security officer, or vCISO, who also has over twenty-five years of cybersecurity experience. Our VP of IT, supported by our vCISO, assesses our cybersecurity risks through regular meetings with our IT team, and escalates cybersecurity matters as needed to management.
The role of the Board of Directors in our risk oversight process includes receiving reports from management and the chairs of Board committees on areas of material risk to our Company, including cybersecurity risks. The Board has delegated primary responsibility to the Audit Committee to review these matters. As established in the Audit Committee Charter, the Audit Committee oversees cybersecurity risks by reviewing reports, summaries and presentations on data management and security initiatives and significant existing and emerging cybersecurity risks. This includes material cybersecurity incidents, the impact to us and our stakeholders of any significant cybersecurity incident, and any disclosure obligations arising from any such incidents. Our VP of IT presents on risks from cybersecurity threats to the Audit Committee at least annually and to the full Board, as necessary.