Axogen, Inc. - (AXGN)

10-K Filing Date: March 05, 2024
ITEM 1C. CYBERSECURITY
Cybersecurity represents an important component of the Company’s overall approach to risk management. The Company’s cybersecurity policies, standards and practices are integrated into the Company’s enterprise risk management approach, and cybersecurity risks are one of the enterprise risks that are subject to oversight by the Company’s Board of Directors (the “Board”). The Company's cybersecurity standards and practices follow industry trends, which align with frameworks established by the Center for Internet Security ("CIS"). The Company approaches cybersecurity threats through a cross-functional approach which endeavors to: (i) identify, prevent and mitigate cybersecurity threats to the Company; (ii) preserve
P59

Table of Content
the confidentiality, security and availability of the information that we collect and store to use in our business; (iii) protecting the Company’s intellectual property; (iv) maintaining the confidence of our customers, clients and business partners; and (v) providing appropriate public disclosure of cybersecurity risks and incidents when required.
Risk Management and Strategy
The Company’s cybersecurity program focuses on the following areas:
a.Vigilance: The Company maintains cybersecurity threat operations with the goal of identifying, preventing and mitigating cybersecurity threats and responding to cybersecurity incidents in accordance with our established incident response and recovery plans.
b.Systems Safeguards: The Company deploys system safeguards that are designed to protect the Company’s information systems from cybersecurity threats, including firewalls, intrusion prevention and detection systems, anti-malware functionality and access controls, which are evaluated and improved through ongoing vulnerability assessments and cybersecurity threat intelligence.
c.Collaboration: The Company utilizes collaboration mechanisms established with public and private entities, including intelligence and enforcement agencies, industry groups and third-party service providers, to identify, assess and respond to cybersecurity risks.
d.Third-Party Risk Management: The Company endeavors to identify and oversee cybersecurity risks presented by third parties, as well as the systems of third parties that could adversely impact our business in the event of a cybersecurity incident affecting those third-party systems.
e.Training: The Company provides periodic training for personnel regarding cybersecurity threats, which reinforces the Company’s information security policies, standards and practices.
f.Incident Response and Recovery Planning: The Company has established and maintains incident response and recovery plans that address the Company’s response to a cybersecurity incident and the recovery from a cybersecurity incident, and such plans are tested and evaluated periodically.
g.Communication, Coordination and Disclosure: The Company utilizes a cross-functional approach to address the risk from cybersecurity threats, involving management personnel from the Company’s technology, operations, legal, risk management and other key business functions, as well as the members of the Board and the Audit Committee of the Board in an ongoing dialogue regarding cybersecurity threats and incidents, while also implementing controls and procedures for the escalation of cybersecurity incidents pursuant to established thresholds so that decisions regarding the disclosure and reporting of such incidents can be made by management in a timely manner.
h.Governance: The Board’s oversight of cybersecurity risk management is supported by the Audit Committee, which regularly interacts with the the Company’s VP of Information Technology, Security and Business Intelligence and other members of the cyber team and management.
The Company manages risks from cybersecurity threats through the assessment and testing of the Company’s processes and practices focused on evaluating the effectiveness of our cybersecurity measures. The Company engages third parties as appropriate to perform assessments of our cybersecurity measures. The results of such assessments and reviews are reported to the Audit Committee and the Board, and the Company adjusts its cybersecurity policies, standards, processes and practices as necessary based on the information provided by the assessments, audits and reviews.
Governance
The Board, in coordination with the Audit Committee, oversees the management of risks from cybersecurity threats, including the policies, standards, processes and practices that the Company’s management implements to address risks from cybersecurity threats. The Board and the Audit Committee each receive regular presentations and reports on cybersecurity risks, which address a wide range of topics including, for example, recent developments, evolving standards, vulnerability assessments, third-party reviews, the threat environment, technological trends and information security considerations arising with respect to the Company’s peers. The Board and the Audit Committee also receive prompt and timely information regarding any cybersecurity incident that meets established reporting thresholds, as well as ongoing updates regarding such incident until it has been addressed. On a regular basis, the Board and the Audit Committee discuss the Company’s approach to cybersecurity risk management with the Company’s cyber team and senior leadership team.
P60

Table of Content
The Company’s VP of Information Technology, Security and Business Intelligence is the member of the Company’s management that is principally responsible for overseeing the Company’s cybersecurity risk management program, in partnership with other business leaders across the Company. The VP of Information Technology, Security and Business Intelligence works in coordination with senior leadership, which includes our Chief Executive Officer, Chief Financial Officer, and General Counsel. The Company’s VP of Information Technology, Security and Business Intelligence has served in various roles in information technology and information security for over 18 years, including Biogen, AstraZeneca, Iron Mountain, and consulting roles at Charles River Labs, Sunovion Pharmaceuticals, Agero and DentaQuest. The VP of Information Technology, Security and Business Intelligence holds a MBA from Boston University, a Master’s degree in Electrical and Computer Engineering from Utah State University, and a Bachelor’s degree in Electronics Engineering from Mumbai University. The Company’s Information Technology team has specific professional certifications, and has over 10 years of experience with managing risks arising from cybersecurity threats.
The Company’s VP of Information Technology, Security and Business Intelligence, in coordination with senior leadership, works collaboratively across the Company to implement a program designed to protect the Company’s information systems from cybersecurity threats and to promptly respond to any cybersecurity incidents. To facilitate the success of this program, multidisciplinary teams throughout the Company are deployed to address cybersecurity threats and to respond to cybersecurity incidents in accordance with the Company’s policy as it relates to the incident, management response and recovery plan. Through the ongoing communications from these teams, the VP of Information Technology, Security and Business Intelligence and senior leadership monitor the prevention, detection, mitigation and remediation of cybersecurity incidents in real time, and report such incidents to the Audit Committee when appropriate.
Cybersecurity threats, resulting from any previous cybersecurity incidents, have not materially affected or are not reasonably likely to affect the Company, including its business strategy, results of operations, or financial condition.

P61

Table of Content