MONOGRAM ORTHOPAEDICS INC - (MGRM)

10-K Filing Date: March 15, 2024
ITEM 1C. CYBERSECURITY

Risk Management and Strategy

We review cybersecurity risk as part of our overall enterprise risk management program. This ensures that cybersecurity risk management remains a top priority in our business strategy and operations.

Our risk management strategy includes, among other elements:

Identification: We aim to proactively identify sources of risk, areas of impact, and relevant events that could give rise to cybersecurity risks, such as changes to our infrastructure, service providers, or personnel.

Assessment: We conduct periodic risk assessments to identify cybersecurity threats. We also conduct likelihood and impact assessments with the goal of identifying reasonably foreseeable internal and external risks, the likelihood and potential damage that could result from such risks, and the sufficiency of existing policies, procedures, systems, and safeguards in place to manage such risks.

Management: Following our risk assessments, we design and implement reasonable safeguards to address any identified gaps in our existing processes and procedures.

We have processes in place to identify, review and evaluate cybersecurity risks associated with our use of third-party service providers. These reviews are conducted at onboarding and periodically throughout the tenure of the service provider based on risk tier rating of each service provider. We believe these processes enable us to evaluate a third-party service provider’s security posture, identify risks that may arise out of our use of the third party’s service, and make decisions regarding acceptable levels of risk and risk mitigation.

Management’s Role in Managing Cybersecurity Risk

Our Company is proactive in managing the material risks from cybersecurity threats, which is reflected in the establishment of a dedicated committee responsible for overseeing such risks. This committee is composed of the following individuals:

Kamran Shamaei, Chief Technology Officer, who provides technical leadership and strategic direction for all technology-related decisions, including cybersecurity.
Muhammad Afnan, Director of Software Development, who brings extensive knowledge in software security practices and the implementation of secure development life cycles.
Nisha Patel, Director of Quality & Regulatory Affairs, whose expertise in regulatory compliance ensures that our cybersecurity policies meet the required standards.

This cross-functional team possesses a comprehensive understanding of cybersecurity, data privacy, and risk management, essential in developing, monitoring, and enforcing our cybersecurity strategy.

29

Processes for Monitoring Cybersecurity

Our cybersecurity oversight committee maintains rigorous processes to remain informed and responsive to the ever-changing landscape of cybersecurity. These processes include:

The creation and management of secure user accounts within our Monogram email Google Workspace, ensuring controlled email communication.
The establishment of access controls to Google Drive and Bitbucket, safeguarding our product-related documents and software development repositories.
Subscription to Amazon Web Services for secure storage of our mechanical drawings and electrical schematics.
Utilization of Green Light Guru for maintaining a repository of all released and quality documents.
Oversight of bill.com and NetSuite for financial operations and inventory management, ensuring secure financial transactions and data integrity.
These processes are under continuous review and adjustment, with the committee meeting quarterly to evaluate and refine our cybersecurity practices.

Reporting Cybersecurity Information

In terms of reporting, the structure of our cybersecurity information flow is designed to ensure that significant risks and incidents are communicated efficiently to senior management and the board of directors:

The Software Director, Platform Tech Manager, and dedicated admin for Green Light Guru report directly to Kamran Shamaei, the CTO.
The committee convenes on a quarterly basis to discuss the current state of cybersecurity affairs, subsequently reporting their findings to the CEO and CFO.
In the event of any concerns or breaches, these are immediately escalated to Paul Riss, ensuring prompt and effective response and mitigation strategies.

Through this tiered reporting structure, we ensure that critical cybersecurity information reaches the appropriate levels of management and that the board of directors is kept fully informed on material risks and incidents. Our approach ensures that we maintain a vigilant and responsive posture towards cybersecurity, embodying a culture of continuous improvement and accountability at all levels of our organization.

30