ELUTIA INC. - (ELUT)

10-K Filing Date: March 11, 2024

Item 1C. Cybersecurity

Cybersecurity Risk Management

We recognize the critical importance of maintaining the safety and security of our information technology systems and data, and we maintain a cybersecurity risk management program as a part of our overall risk management program that is focused on identifying, assessing and managing cybersecurity risk. Key elements of that program include:

Alignment with the National Institute of Standards and Technology Cybersecurity Framework to prevent, detect and respond to cyberattacks;
Engaging external cybersecurity experts in incident response development and management;
An information security training program instructing company employees with access to our networks how to be aware of, and help defend against cybersecurity risks;
Evaluating the cybersecurity risk of third party service providers; and
Business continuity plans and critical recovery backup systems.

Our cybersecurity risk management program is supervised by our Director of Information Systems whose team is responsible for leading enterprise-wide information security strategy, policy, standards, architecture, and processes, as well as managing the Company’s information security and risk management awareness program.

Cybersecurity Incident Response Process

We maintain and regularly update a cybersecurity incident response plan that outlines the steps we take to identify, investigate and take action in response to any potentially material cybersecurity incidents. Our incident response plan is designed to ensure that our Director of Information Systems and members of our senior management team are timely informed of and consulted with respect to any potentially material cybersecurity incidents.

Board Oversight of Cyber Risk

Our Board is engaged in the oversight of cybersecurity threat risk management. As reflected in the Audit Committee’s charter, the Board has specifically delegated responsibility for oversight of cybersecurity matters to the Audit Committee, which provides advice and guidance on the adequacy of the Company’s initiatives on, among other things, cybersecurity risk management. Periodic updates are provided to the Audit Committee on, among other things, our cybersecurity risks and threats, the status of projects to strengthen the Company’s information security systems, and the emerging threat landscape. We also engage third parties to periodically evaluate and audit aspects of our information security programs, including by conducting vulnerability assessments and penetration testing, and the results of those findings are reported to the Audit Committee and used to help identify potentially material risks and prioritize certain security initiatives.

We face a number of cybersecurity risks in connection with our business. Based on the information we have as of the date of this Annual Report, we do not believe that any risks from cybersecurity threats, including as a result of any

77

previous cybersecurity incidents, have materially affected or are reasonably likely to materially affect the Company’s business strategy, results of operations or financial position. See Item 1A, Risk Factors, of this Annual Report for further discussion of cybersecurity risks.