908 Devices Inc. - (MASS)
10-K Filing Date: March 08, 2024
Item 1C. Cybersecurity.
Governance Related to Cybersecurity Risks
Our board of directors, as a whole and through its committees, holds overall oversight responsibility for our risk management processes, including in relation to risks from cybersecurity threats. Our board of directors exercises its oversight function through the audit committee, which oversees the management of risk exposure across various areas, including cybersecurity risks, in accordance with its charter. The audit committee receives quarterly reports from our Director of Information Technology on the status of our cybersecurity program, including measures implemented to monitor and address cybersecurity risks and threats, as appropriate. The Chair of the audit committee provides a quarterly report to the board of directors, which includes any key updates on cybersecurity matters, as applicable.
Our Director of Information Technology is responsible for the day-to-day administration and management of our cybersecurity program, under the direct supervision of our Chief Product Officer (formerly our Chief Technology Officer). Currently, the Director of Information Technology role is held by an individual who has approximately 19 years of information technology experience and 10 years of cybersecurity experience. We also work with external security service providers to support our security monitoring and threat detection capabilities and have implemented a process to report relevant findings to the Director of Information Technology and up to the Chief Product Officer and other members of executive management, where appropriate.
Cybersecurity Risk Management and Strategy
We maintain a cybersecurity program, which is informed by industry standards, that includes processes for identification, assessment, and management of cybersecurity risks. We conduct periodic risk assessments, including with support from external vendors, to assess our cyber program, identify potential areas of enhancement, and develop strategies for the mitigation of cyber risks. We also conduct regular security testing and have established a vulnerability management process, supported by security testing, that is designed to address the treatment of identified security risks based on severity.
As part of our cybersecurity risk management program, we have a process to assess and review the cybersecurity practices of major third-party vendors and service providers that access, process, collect, share, create, store, transmit or destroy our information or have access to our systems, including through review of applicable certifications, and security reports, and contractual requirements, as appropriate.
We have implemented a process to periodically conduct security awareness training for employees and simulated phishing campaigns. We also conduct specific training and tabletop exercises for key personnel involved in cybersecurity risk management.
63
Our Director of Information Technology and his team are informed about and monitor the prevention, detection, mitigation, and remediation of cybersecurity risks through various means, including by leveraging a managed security service provider and other third-party security software and technology services. In addition, we use various internal and external processes and technologies, including third-party security solutions, monitoring, and alerting tools and resources, designed to monitor, identify, and address risks from cybersecurity threats. We also have implemented processes and technologies for network monitoring and data loss prevention procedures.
We have adopted an incident response plan to guide us in responding to cybersecurity incidents and maintain processes to inform and update executive management and the audit committee about security incidents that may pose a significant risk for our business, as applicable.
We have not identified any cybersecurity incidents or threats that have materially affected us or are reasonably likely to materially affect us, including our business strategy, results of operations or financial condition; however, like other companies in our industry, we and our third-party vendors may, from time to time, experience threats and security incidents relating to our and our third-party vendors’ information systems. See Item 1A “Risk Factors” in this Annual Report on Form 10 K for more information.