MAXCYTE, INC. - (MXCT)

10-K Filing Date: March 12, 2024
Item 1C. Cybersecurity

As a company that provides enabling platform technologies to advance the discovery, development and commercialization of next-generation cell therapeutics for customers, we are committed to protecting the confidentiality, integrity and availability of our and our customers’ information assets. We recognize the importance of assessing, identifying, and managing material risks associated with cybersecurity threats and cybersecurity incidents, as such terms are defined in Item 106(a) of Regulation S-K. Our exposure to applicable cybersecurity risks is described more fully under the Risk Factors in Item 1A in this annual report on Form 10-K.

As described further below, we maintain a formal and comprehensive information security management framework informed by the National Institute of Standards and Technology (“NIST”) cybersecurity framework and have implemented several dozen policies governing our information security program, which we revise and update annually. Our Board, including the Audit Committee of our Board, and our management team are actively involved in the oversight of our enterprise risk management program, of which cybersecurity represents an important component.

Risk Management and Strategy

Monitoring and assessing cybersecurity risk is a critical part of our overall enterprise risk management (“ERM”). Our Board regularly discusses significant areas of risk, including those that may be related to cybersecurity, as necessary. We have designed and implemented an information security program tailored to our operations, the nature of our products and services, and the sensitivity of the data that we process. We have implemented cybersecurity risk management processes that include, for example, developing organizational understandings to manage cybersecurity risk, identifying asset vulnerabilities, threats to internal and external organizational resources, and risk response activities, and developing a vendor risk management policy for assessing supply chain and vendor-related risks. As part of these processes, we have implemented an Incident Response Plan, which provides protocols for incident evaluation, including processes for notification and internal escalation of information to our senior management and the appropriate Board committees. Our Incident Response Plan is updated annually and tested in tabletop exercises.

We utilize the cybersecurity services of our IT MSP, which is a SOC that is operated 24/7/365 and monitors our devices and networks for malicious activity. In addition to antivirus endpoint protection on Company devices, our IT MSP

70

also, for example, monitors IT system metadata around suspicious events, evidence of tactics, tools, or procedures used by attackers, and monitors remote privileged activity.

We engaged a third party to perform a cybersecurity audit in the fourth quarter of 2021 and intend to undertake another cybersecurity audit in the third quarter of 2024. To date, we have not identified any risks from cybersecurity threats, including as a result of previous cybersecurity incidents, that have materially affected us, our business strategy, results of operation, or financial condition. To date, we have not experienced a material cybersecurity attack, such as a cybersecurity threat, a ransomware attack, computer viruses or other malicious codes, security breaches, unauthorized access, phishing attacks, or system failures. The Company carries cybersecurity insurance and considers our coverage to be adequate.

Governance

Our Board, including the Audit Committee of the Board, and our management team are actively involved in the oversight of risks from cybersecurity threats.

Our Audit Committee discusses risks related to cybersecurity quarterly, and reports to the Board quarterly on such risks and events. Our Senior Director of Information Systems presents information to the Audit Committee regarding cybersecurity risks and events quarterly. The full Board also discusses cybersecurity risks and events annually. If there are direct risks rising to the level of potential materiality, the management team reports such risks and events to the Board.

Our Senior Director of Information Systems and our Director of Information Systems are responsible for day-to-day oversight of cybersecurity risk. The individual currently holding the position of Senior Director of Information Systems has held the role for two years, has sixteen years of experience in IT and software development (with eight of those years in management roles), and holds certification from MIT Sloan School of Management in cybersecurity risk management. The individual currently holding the position of Director of Information Systems—who reports directly to the Senior Director of Information Systems—was formerly an IT Audit Senior Associate at PricewaterhouseCoopers, performed security assessments as a consultant at PricewaterhouseCoopers, and passed his CISA exam (though certification is currently pending). These individuals are responsible for coordinating resources internally and externally regarding cybersecurity risk management and incident response, and they report directly to our Chief Administrative Officer.

Our management team has also established a Cybersecurity Incident Response Team (the “CSIRT”), which is comprised of our Chief Executive Officer, the Chair of the Audit Committee of our Board, our General Counsel, our Chief Administrative Officer, and our Senior Vice President of Human Resources. The CSIRT is also responsible for responding to cybersecurity incidents.