SIGA TECHNOLOGIES INC - (SIGA)
10-K Filing Date: March 12, 2024
Risk Management and Strategy
We regularly assess risks from cybersecurity threats; monitor our information systems for potential vulnerabilities; and test those systems pursuant to our information technology policies, processes, and practices, which are integrated into our overall risk management program. To protect our information systems from cybersecurity threats, we use various security tools that are designed to help identify, escalate, investigate, resolve, and recover from security incidents in a timely manner. The Company’s Chief Information Officer is responsible for developing and implementing our information security program and reporting on cybersecurity matters to the Board. Our Chief Information Officer has over a decade of experience leading cybersecurity oversight, and others on our IT security team have cybersecurity experience or certifications. We view cybersecurity as a shared responsibility, and we periodically perform simulations and tabletop exercises at a management level and engage external resources and advisors as needed. All employees are required to complete cybersecurity trainings each month through online trainings and simulations.
We collaborate with third parties to assess the effectiveness of our cybersecurity prevention and response systems and processes. These include cybersecurity assessors, consultants, and other external cybersecurity experts to assist in the identification, verification, and validation of cybersecurity risks, as well as to support associated mitigation plans when necessary. We have also developed a third-party cybersecurity risk management process to conduct due diligence on external entities, including those that perform cybersecurity services.
Cybersecurity threats, including those resulting from any previous cybersecurity incidents, have not materially affected our Company, including our business strategy, results of operations, or financial condition. We do not believe that cybersecurity threats resulting from any previous cybersecurity incidents of which we are aware are reasonably likely to materially affect our Company. For more information about the cybersecurity risks we face, see the risk factor entitled “Our business and operations would suffer in the event of a significant computer system failure, cyber-attack or deficiency in our cyber-security” in Item 1A- Risk Factors.
Governance
The full Board receives updates periodically or as needed during the year from the Company’s Chief Information Officer and actively participates in discussions with management and amongst themselves regarding cybersecurity risks. Updates delivered to the full Board typically include discussion of management’s actions to identify and detect threats, as well as planned actions in the event of a response or recovery situation. These updates also typically include a review of any recent enhancements to the Company’s defenses and management’s progress on its cybersecurity, as well as reports on key performance indicators, test results and related remediation, and recent threats and how the Company is managing those threats.