Co-Diagnostics, Inc. - (CODX)

10-K Filing Date: March 14, 2024
ITEM 1C. CYBERSECURITY

 

We understand the importance of preventing, identifying, assessing and managing material risks associated with cybersecurity threats. Cybersecurity processes to identify, assess and manage risks from cybersecurity threats have been incorporated as a part of our overall risk assessment process and are designed to help protect our information assets and operations from internal and external cyber threats and protect employee and customer information from unauthorized access or attack, as well as secure our network and systems. The Company’s cybersecurity policies, standards, processes, and practices are based on recognized frameworks established by the National Institute of Standards and Technology (“NIST”) and are included in the Company’s overall risk management system and processes. We have implemented into our operations these cybersecurity processes, technologies and controls to identify, assess and manage material risks. Specifically, we engage a third-party cybersecurity firm to assist with network and endpoint monitoring, cloud system monitoring and assessment of our incident response procedures. Further, we employ periodic internal and external penetration testing by an independent cybersecurity firm to inform our risk identification and assessment of critical, high, medium and minor material cybersecurity threats.

 

To manage our material risks from cybersecurity threats and to protect against, detect, and prepare to respond to cybersecurity incidents, we undertake the below listed activities:

 

  Monitor evolving cybersecurity standards and emerging data protection laws and implement changes to our processes to comply;
     
  risk assessments designed to help identify material cybersecurity risks to our critical systems, information, products, services, and our broader enterprise IT environment;
     
  The Company leverages third-party vendors to house critical clinical trial data. These vendors are required to be GxP compliant which entails strong cybersecurity controls that are validated by a third-party auditor. Furthermore, the Company has begun performing security risk assessments prior to on-boarding new significant vendors.
     
  The Company provides regular, mandatory training for all levels of employees regarding cybersecurity threats as a means to equip the Company’s employees with effective tools to address cybersecurity threats, and to communicate the Company’s evolving information security policies, standards, processes, and practices.
     
  Employ multifactor authentication on internal and external systems;
     
  Conduct regular phishing email simulations for all employees; and
     
  Carry cybersecurity risk insurance that provides protection against the potential losses arising from a cybersecurity incident.

 

Our incident response plan coordinates the activities that we and our third-party cybersecurity providers take to prepare to respond and recover from cybersecurity incidents, which include processes to triage, assess severity, investigate, escalate, contain, and remediate an incident, as well as to comply with potentially applicable legal obligations and mitigate brand and reputational damage.

 

As part of the above processes, we engage with subject matter expert consultants to review our cybersecurity program to help identify areas for continued focus, improvement, and compliance.

 

Our processes also include assessing cybersecurity threat risks associated with our use of third-party services providers in normal course of business use, including those in our supply chain or who have access to patient and employee data or our systems. Third-party risks are included within our risk management process discussed above. In addition, we assess cybersecurity considerations in the selection and oversight of our third-party services providers, including due diligence on the third parties that have access to our systems and facilities that house systems and data.

 

We do not believe that there are currently any known risks from cybersecurity threats that are reasonably likely to materially affect our business strategy, results of operations or financial condition. However, cybersecurity threats may affect our business. See “Cyber security risks and the failure to maintain the integrity of company, employee or guest data could expose us to data loss, litigation and liability, and our reputation could be significantly harmed.” in “Item 1A. Risk Factors” of this Annual Report on Form 10-K.

 

The Audit Committee of the Board of Directors is responsible for oversight of our cybersecurity risk assessment, risk management, incident response procedures and cybersecurity risks and provides updates to the Board of Directors regarding such oversight. Periodically during each year, the Audit Committee receives an overview from our Vice President, Head of Technology of our cybersecurity threat risk management and strategy processes, including potential impact on us, the efforts of management to manage the risks that are identified and our incident response preparations.

 

Our cybersecurity risk assessment, management and strategy processes are led by our Chief Technology Officer. Our Chief Technology Officer has over 15 years of experience in various roles involving managing information security, managing privacy and data protection, developing cybersecurity strategy, and implementing cybersecurity programs. The Chief Technology Officer was recently promoted and is training to be a Certified Information Security Manager (CISM), is informed about and monitors the prevention, mitigation, detection, and remediation of cybersecurity incidents through management of the cybersecurity risk management and strategy processes described above, including our incident response plan.

 

24