Sonendo, Inc. - (SONX)

10-K Filing Date: March 11, 2024
Item 1C. Cybersecurity.

Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure

We manage cybersecurity threats as part of our general risk mitigation, evaluation, and oversight processes. We implement our cybersecurity program internally through established policies, standards, and the use of enterprise security services that focus on emerging and ongoing cybersecurity risks. We manage these risks to our employees, customers, stockholders, and business partners through a coordinated and consistent IT risk management process overseen by the Senior Manager, IT who assumes the role of our Chief Information Security Officer (“CISO”).

Our information risk management framework is designed to manage and protect against risks in three broad categories: (i) operational risk; (ii) financial risk; and (iii) safety, environmental, and regulatory risk. We consider and evaluate reputational risk as an element of each of these risk categories.

We conduct regular security and awareness training for all new hires and for current employees. Employees are required to apply risk assessment processes and to professionally assess risks in the course of performing their job duties.

We conduct vulnerability scans of business critical systems on an annual, quarterly, and daily basis. We utilize external third parties to assist in assessing our systems, conduct scans and provide reports based on these scans and

83


 

we address vulnerabilities as they are identified. We generally review current and prospective third party service providers for cybersecurity risks.

Management, under the supervision of our Chief Information Security Officer (CISO), is directly responsible for assessing and managing cybersecurity risks and otherwise implementing our cybersecurity program, which includes our Incident Response Policy and Incident Response Procedure. The CISO reports directly to our Chief Executive Officer. Our CISO has over ten years of IT experience and nine years of significant experience managing cybersecurity threats across our industry. The CISO may call upon business and legal stakeholders across our company to manage cybersecurity threats and incidents.

The audit committee of our board of directors is responsible for oversight of the company's programs, policies, procedures, and risk management activities related to information security and data protection. The audit committee meets regularly with CISO to discuss threats, risks, and ongoing efforts to enhance cyber resiliency, as well as changes to the broader cybersecurity landscape. Management promptly updates our board of directors regarding significant threats and incidents as they arise.