NeuroPace Inc - (NPCE)
10-K Filing Date: March 05, 2024
Item 1C. Cybersecurity.
Risk management and strategy
We have implemented and maintain various information security processes designed to identify, assess, and manage material risks from cybersecurity threats to our critical computer networks, third-party hosted services, communications systems, hardware and software, and our critical data, including intellectual property, confidential information that is proprietary, strategic or competitive in nature, client data and patient data, or, collectively, Information Systems and Data.
Our information security function is overseen by our Privacy and Security Officer and is supported by our Director of Information Technology and Vice President, Manufacturing and Commercial Operations and Information Technology. This function helps to identify, assess, and manage our cybersecurity threats and risks, including through the use of our risk register. Our information security function helps identify and assess risks from cybersecurity threats by monitoring and evaluating our threat environment using various methods including, for example: evaluating our industry’s risk profile, deploying manual and automated tools in certain environments, subscribing to reports and services that identify certain cybersecurity threats, evaluating certain threats reported to us, engaging third parties to conduct threat assessments, conducting internal and external vulnerability and threat scans and assessments of certain environments, conducting internal audits, and penetration testing of certain systems.
Depending on the environment, we implement and maintain various technical, physical, and organizational measures, processes, standards, and policies designed to manage and mitigate material risks from cybersecurity threats to our Information Systems and Data, including, for example: incident detection and response, vulnerability management and disaster recovery policies, risk assessments, data encryption and data segregation of certain data, access controls and network security controls in certain environments, physical security controls, employee training, penetration testing, systems monitoring, cybersecurity insurance and asset and vendor management programs.
Our assessment and management of material risks from cybersecurity threats are integrated into our overall risk management processes. For example, our Privacy and Security Officer works with Information Technology, Legal, and other NeuroPace leadership to prioritize our risk management processes and mitigate cybersecurity threats that are more likely to lead to a material impact to our business.
We use third-party service providers to assist us from time to time to identify, assess, and manage material risks from cybersecurity threats, including for example: professional service firms, including outside legal counsel, threat intelligence service providers, cybersecurity consultants, cybersecurity service provider, and penetration testing firms.
We use third-party service providers to perform a variety of functions throughout our business, such as application providers and hosting companies. We have a vendor management program to manage cybersecurity risks associated with our use of these providers. The program includes security questionnaires for certain vendors, imposition of information security contractual obligations on certain vendors, verification of relevant industry standard security certifications for certain vendors, and other vendor management program elements. Depending on the nature of the services provided, the sensitivity of the Information Systems and Data at issue, and the identity of the provider, our vendor management process may involve different levels of assessment designed to help identify cybersecurity risks associated with a provider and impose contractual obligations related to cybersecurity on the provider.
For a description of the risks from cybersecurity threats that may materially affect us and how they may do so, see our risk factors under Part 1. Item 1A. Risk Factors in this Annual Report on Form 10-K.
Governance
Our board of directors addresses our cybersecurity risk management as part of its general oversight function. The board of directors’ audit committee is responsible for overseeing our cybersecurity risk management processes, including oversight and mitigation of risks from cybersecurity threats.
99
Our cybersecurity risk assessment and management processes are implemented and maintained by certain NeuroPace management, including our Privacy and Security Officer, who has more than 20 years of experience in healthcare privacy and security, in coordination with our Director of Information Technology, who has more than 30 years of experience with information technology operations and sixteen years as a corporate privacy and security officer, as well as our Vice President, Manufacturing and Commercial Operations and Information Technology.
Our Privacy and Security Officer, Director of Information Technology, and NeuroPace leadership are responsible for hiring appropriate personnel, helping to integrate cybersecurity risk considerations into our overall risk management strategy, and communicating key priorities to relevant personnel. Our Privacy and Security Officer in coordination with our Director of Information Technology is responsible for approving budgets, helping prepare for cybersecurity incidents, approving cybersecurity processes, and reviewing security assessments and other security-related reports.
Our incident response and vulnerability management policies are designed to escalate certain cybersecurity incidents to members of management depending on the circumstances, including our Privacy and Security Officer, Director of Information Technology, Vice President, Manufacturing and Commercial Operations and Information Technology and other designated individuals. Our Privacy and Security Officer works with our incident response team to help us mitigate and remediate cybersecurity incidents of which they are notified. In addition, our incident response and vulnerability management policies include reporting to the audit committee of the board of directors for certain cybersecurity incidents.
The board of directors receives periodic reports from our Privacy and Security Officer concerning significant cybersecurity threats to us and risk and the processes we have implemented to address them. The board of directors also has access to various reports, summaries or presentations related to cybersecurity threats, risk and mitigation.