Vuzix Corp - (VUZI)

10-K Filing Date: April 15, 2024
Item 1C. Cybersecurity

 

As a Company selling some products and performing engineering services for defense applications, we may be the target of cyber-attacks from a variety of threat actors. Cybersecurity threats include attacks on, or other attempts to infiltrate, our information technology (IT) infrastructure and the IT infrastructure of our customers, suppliers, subcontractors and other third parties, attempting to gain unauthorized access to our confidential or other proprietary information, classified information, or information relating to our employees, customers, and other third parties, or to disrupt our systems or the systems of our customers, suppliers, subcontractors, and other third parties. Cybersecurity threats also include attempts to infiltrate our products or services, including attacks targeting the security, confidentiality, integrity and/or availability of the hardware, software and information installed, stored or transmitted in our products, including after the purchase of those products and when they are incorporated into third-party products, facilities, or infrastructure.

 

Our Cybersecurity Program

 

Our products and services are normally classified as EAR 99 (items not designated under the control) by the U.S. government, but our defense customers may ask us to make some alterations for the environments in which the products will be used. Moreover, our products sold for defense applications are integrated with our customers’ products. Given the nature of our business and the cybersecurity risks we face, we have instituted a cybersecurity program for identifying, assessing, and managing cybersecurity risks, which include material risks from cybersecurity threats to our internal systems, our products, services and programs for customers, and our supply chain.

 

Our enterprise cybersecurity program aligns with the National Institute of Standards and Technology Cybersecurity Framework (NIST CSF) standards, among others. The program includes processes and controls for the deployment of new IT systems by the Company and controls over new and existing system operations. We, or third parties we contract with, monitor and conduct regular testing of these controls and systems, including vulnerability management through active discovery and testing to regularly assess patching and configuration status. In addition, we require our employees to complete annual cybersecurity training, and we regularly conduct simulated phishing and cyber-related communications.

 

Incident Response.

 

Our cybersecurity program includes monitoring for potential security threats that may lead to vulnerabilities. We evaluate and assign severity levels to incidents, escalate and engage an incident response team based on severity, and manage and mitigate the related risks. Incidents are reported internally to members of senior management and/or the Board of Directors as appropriate based on severity and incident type and are also analyzed for external reporting requirements. Our incident response process is also designed to coordinate functions to enable continuity of essential business operation in the event of a cyber crisis.

 

Third Party Service Providers.

 

We engage third party service providers to expand the capabilities and capacity of our cybersecurity program, including for design, monitoring and testing of the program’s risk prevention and protection measures, and process execution including incident detection, investigation, analysis and response, eradication, and recovery. Our main external service provider is US-based and utilizes a 24 x 7 x 365 Service Operation Center (SOC).

 

Program Assessment.

 

32

We regularly evaluate and seek to improve and mature our cybersecurity processes. Our cybersecurity program is regularly assessed through management self-evaluation and ongoing monitoring procedures to evaluate our program effectiveness, including assessments associated with internal controls over financial reporting as well as vulnerability management through active discovery and testing to validate patching and configuration. As cybersecurity threats are continuously evolving, we also periodically engage with third parties to perform maturity assessments of our program to identify potential risk areas and improvement opportunities. This includes assessment of our overall program, policies and processes, compliance with regulatory requirements and an overall assessment of key vulnerabilities. We use these assessments to supplement our own evaluation of the overall health of our program and target improvement areas.

 

Board Oversight and Management’s Role

 

Our Board of Directors has primary oversight responsibility for enterprise cybersecurity risks. The Audit Committee also considers enterprise cybersecurity risks in connection with its financial and compliance risk oversight role. The Chief Financial Officer regularly reports to the Board of Directors on the status of the Company’s cybersecurity program and provides the Board of Directors with the annual assessment by a third party on the Company’s cybersecurity program. Cybersecurity risks are also included with the Company’s annual business risk assessment which is provided to the Board of Directors.

 

For more information on risks related to cybersecurity, see Item IA. "Risk Factors” of this Form 10-K.