electroCore, Inc. - (ECOR)

10-K Filing Date: March 13, 2024
Item 1C. Cybersecurity

 

Risk management and strategy

 

Managing Material Risks & Integrated Overall Risk Management

 

We are developing processes, including those intended to follow an internal Information Technology (IT) Security Policy, which seek to assess, identify, and manage material risks from cybersecurity threats to the IT systems and information that we create, use, transmit, receive, and maintain. We also seek to integrate these processes and policies into our overall enterprise risk management system and processes. We also maintain an evolving cybersecurity roadmap for our future cybersecurity plans. The processes for assessing, identifying, and managing material risks from cybersecurity threats, including threats associated with our use of third-party service providers, include our efforts to identify the relevant assets that could be affected, determine possible threat sources and threat events, assess threats based on their potential likelihood and impact, and identify controls that are in place or necessary to manage and/or mitigate such risks. In furtherance of our cybersecurity policies and procedures, our IT team has a monthly IT Steering committee meeting, chaired by our Chief Financial Officer (“CFO”) and Chief Strategy Officer, where all new IT projects include a cybersecurity component.

  

Engage Third-parties on Risk Management

 

We engage a range of external experts, including consultants, auditors, and cybersecurity assessors, who assist us in evaluating and testing our cybersecurity systems and processes. These partnerships are intended to give us access to specialized knowledge and insights that can inform our cybersecurity strategies and processes, including as to industry-standard control frameworks and applicable regulations, laws, and standards.

 

Oversee Third-party Risk

 

As part of our evolving cybersecurity roadmap, we plan to implement and conduct security assessments of all third-party service providers before engagement and maintain ongoing monitoring to ensure compliance with relevant cybersecurity standards.

 

Risks from Cybersecurity Threats

 

We have not experienced any material cybersecurity incidents and the expenses we have incurred from any security incidents were immaterial. As a result, we do not believe that risks from cybersecurity threats, including as a result of any previous cybersecurity incidents, have materially affected us, our results of operations and financial condition. However, as discussed under “Risk Factors” in Part I, Item 1A of this Annual Report, cybersecurity threats pose multiple and potentially material risks to us, including potentially to our results of operations and financial condition. See “Risk Factors — Failure to protect our information technology infrastructure against cyber-based attacks, network security breaches, service interruptions, or data corruption could significantly disrupt our operations and adversely affect our business strategy and operating results.” As cybersecurity threats become more frequent, sophisticated, and coordinated, it is reasonably likely that we may expend greater resources to continue to modify and enhance protective measures against such security risks.

 

Governance

 

Board of Directors Oversight

 

Our Board of Directors is responsible for exercising oversight of management’s identification and management of, and planning for, risks from cybersecurity threats. While the full Board has overall responsibility for risk oversight, the Board has delegated oversight responsibility related to risks from cybersecurity threats to the Board’s Audit Committee. The Audit Committee discusses with management not less than annually our major financial risk exposures, including those related to data privacy, data security and network security, and management's program to monitor, assess and control such exposures, including our risk assessment and risk management policies. The Audit Committee reports to the Board as necessary with respect to its activities, including making such reports and recommendations to the Board as it deems necessary and appropriate.


82


Management’s Role Managing Risk

 

The role of the Chief Information Security Officer (CISO) has been assigned to our VP, Information Technology, who has 20 years of IT experience and reports to the CFO. The CISO and the CFO inform the Audit Committee on cybersecurity risks. They provide briefings to the Audit Committee on no less than an annual basis or on an ad hoc basis when needed. These briefings encompass:



Evaluation of existing cybersecurity risks;


Status of ongoing cybersecurity initiatives and strategies from the cybersecurity roadmap; and

Incident reports and learnings from cybersecurity events.


Risk Management Personnel

 

Management’s role in assessing, monitoring and managing our material cybersecurity risks is primarily the responsibility of our CISO, reporting to our CFO. Both the CISO and CFO rely on third party experts, including consultants, auditors, and cybersecurity assessors regarding cybersecurity strategies and processes. The CISO manages vendor work related to cybersecurity, and has primary responsibility for the evolving cybersecurity roadmap, remediating known risks, and leading our employee training program, pursuant to which we provide annual privacy and security training for all employees. Our security training incorporates awareness of cyber threats (including but not limited to malware, ransomware and social engineering attacks), password hygiene, incident reporting process, as well as physical security best practices. Our management has also developed security policies and processes which include regular system updates and patches, employee training on cybersecurity and privacy requirements, incident reporting, and the use of encryption to secure sensitive information. In addition, we also regularly perform phishing tests of our employees and update our training plan at least annually. We maintain business continuity and disaster recovery capabilities to mitigate interruptions to critical information systems and/or the loss of data and services from the effects of natural or man-made disasters to our physical operations.

 

Monitor Cybersecurity Incidents

 

The CISO implements and oversees processes for the regular monitoring of our IT systems. This includes the deployment of security measures to identify potential vulnerabilities. In the event of a cybersecurity incident, the CISO runs an incident response plan. This plan includes actions to mitigate the impact and long-term strategies for remediation and prevention of future incidents.

 

Reporting to Board of Directors

 

The CISO regularly informs the CFO of cybersecurity risks and incidents. Furthermore, significant cybersecurity matters, and strategic risk management decisions are escalated to the Board of Directors, which has oversight and may provide guidance on critical cybersecurity issues.