Evolus, Inc. - (EOLS)
10-K Filing Date: March 07, 2024
Item 1C. Cybersecurity.
Risk Management and Strategy
Our cybersecurity risk management process is designed to identify and manage internal and external cybersecurity threats and vulnerabilities to and within our business and operations. Our cybersecurity program is integrated into our overall risk management systems, business continuity and crisis management programs, third-party risk management program, insurance risk management program, and employee compliance programs. Our cybersecurity program includes systems and processes such as, but not limited to, maintenance and monitoring of information security policies, implementation and maintenance of infrastructure security systems, programs and policies designed to promote employee awareness of cyber policies and practices (including implementing an annual process for employees to complete security awareness training in addition to new employee cybersecurity awareness training), information systems configuration management, use of third-party risk management systems, process to promote identity and information asset protection and cybersecurity threat operations with continuous monitoring. This program also includes processes to oversee and identify material risks from cybersecurity threats associated with our use of third-party service providers.
We have developed an incident response plan designed to coordinate the activities that we and our third-party security service providers take to prepare to respond and recover from cybersecurity incidents, which include processes to triage, assess severity, investigate, escalate, contain, and remediate an incident, as well as to comply with potentially applicable legal obligations and mitigate any reputational damage. Additionally, as part of our overall risk management program, we maintain a global insurance portfolio with cybersecurity coverage.
To date, we do not believe that our business, results of operations and financial condition have been materially affected as a result of identified cybersecurity threats or incidents, including as a result of any previous cybersecurity incidents that we are aware of. However, we cannot provide assurance that we will not be materially affected in the future by such risks or any future cybersecurity incidents. For more information on our cybersecurity-related risks, please refer to the risk factor titled “We rely on our digital technology and applications and our business and operations could suffer in the event of information system failures or a cybersecurity incident” in Part I, Item 1A of this Report.
Governance
Our cybersecurity team is led by the SVP of IT and Operations, who reports to our Chief Financial Officer. Our SVP of IT and Operations and the cybersecurity team have over 25 years of experience managing and securing technology infrastructure. The cybersecurity team has responsibility for the planning and execution of our processes to manage cybersecurity and other information technology risks. The cybersecurity team also institutes and maintains controls for our systems, applications, and databases. Our management, with involvement and input from our Board of Directors, performs annual enterprise-wide cybersecurity assessments to identify and manage key existing and emerging risks for our company.
The Board of Directors receives periodic updates on our cybersecurity risks from our SVP of IT and Operations, which include risk assessments, areas of emerging risks, incidents and industry trends, and other areas of importance. These reports include updates on our progress preparing for, preventing, detecting, responding to and recovering from material cyber incidents, if any. In addition, as needed, management updates the Board of Directors regarding any material cybersecurity incidents.