Akoya Biosciences, Inc. - (AKYA)
10-K Filing Date: March 04, 2024
Item 1C. Cybersecurity
Risk Management and Strategy:
Our information technology (“IT”) systems play a central role in running nearly all aspects of our business operations. Therefore, responding efficiently and effectively to cybersecurity incidents and threats is an important component of our enterprise risk management strategy. We have designed and implemented a cybersecurity incident response plan and related processes, overseen by our Vice President, IT and other cybersecurity professionals, which establish processes and procedures for assessing, identifying and managing material risks from cybersecurity threats.
67
In connection with our processes for assessing, identifying and managing risk from cybersecurity we engage various third-party cybersecurity vendors and experts to assist in managing these processes including:
● | 24/7 daily monitoring of all systems including continual threat prevention, detection and response; |
● | providing guidance with respect to cybersecurity risk management, conducting vulnerability assessments, leading tabletop exercises and consulting on best practices; |
● | performing various investigation services in the event of a cyber incident including assisting in determining the type of attack and impact to our information technology network, maintaining cybersecurity vigilance and assisting with the recovery and restoration of any impacted IT system services; |
● | assisting with validation of the incident and assist with ransomware demands; and |
● | breach response services such as communications, notification of third parties and credit monitoring. |
In addition to our cybersecurity incident response plan, we have also implemented processes to oversee and identify risks from cybersecurity threats associated with our use of third-party service providers. For example, where appropriate, we seek to negotiate contractual terms with certain third-party services providers that impose obligations on such services providers with the goal of protecting our confidential information. Where possible, we require service providers to maintain information technology security protections.
Although the risks from cybersecurity threats have not materially affected our business strategy, results of operations or financial condition, it is possible that a cybersecurity incident resulting in a serious compromise of our IT systems or a demand for payment to restore our IT systems, could have a material adverse effect on us by negatively impacting our ability to operate our business effectively and by diverting the attention of our management and other resources, including financial resources, to address the cybersecurity incident.
Governance:
Our Security Incident Response Team (“SIRT”) has the primary responsibility of assessing and managing risks from cybersecurity threats and implementing the various stages of our cybersecurity incident response plan. The SIRT is comprised of our Vice President, IT and other IT systems management personnel.
● | Board of Directors |
The Audit Committee of our board of directors operates under a written charter adopted by our board of directors. The Audit Committee oversees, among other things, a system of internal controls, including internal controls designed to assess, identify, and manage material risks from cybersecurity threats. The Audit Committee is also responsible for the adequacy and effectiveness of our internal controls, including those internal controls that are designed to assess, identify, and manage material risks from cybersecurity threats.
The Audit Committee is informed of material risks, if any, from cybersecurity threats pursuant to escalation criteria set forth in our disclosure controls and procedures. Further, at least once per quarter, our Vice President, IT reports material risks, if any, from cybersecurity threats to the Audit Committee and/or our board of directors. We are also developing a cybersecurity training that our board of directors will receive on an annual basis as part of our director education program.
● | Management |
Our Vice President, IT has served in various roles in information technology and information security for over 25 years, including serving as the Vice President, IT of two public companies. He holds a Masters in Cybersecurity and Data Assurance and has attained the professional certifications of Certified Information Security Manager (“CISM”) and Certified Data Privacy Solutions Engineer (“CDPSE”). Our Vice President, IT and the Company’s CEO, CFO and
68
General Counsel each have extensive experience managing the risks associated with cybersecurity threats at the Company and at similar companies.
Our management, including members of our Disclosure Committee, and our Vice President, IT regularly assess and manage material risks, if any, from cybersecurity threats. Our Vice President, IT holds quarterly meetings with management to review security matters, including threats, vulnerabilities and risk mitigation measures.
Our senior management team and our Controller comprise our Disclosure Committee. The Disclosure Committee is responsible for establishing and monitoring the integrity and effectiveness of controls and other procedures, which are designed to ensure that (1) all information required to be disclosed is recorded, processed, summarized, and reported accurately and on a timely basis, and (2) all such information is accumulated and communicated to management and the Audit Committee, as appropriate, to allow for timely decisions regarding such disclosures. Our cybersecurity incident response plan includes processes which ensure that management, which include members of our Disclosure Committee, are apprised of cybersecurity incidents to ensure proper disclosure is made by the Company in accordance with applicable law.
Our Vice President, IT oversees the Company’s cybersecurity incident response plan and related processes designed to assess and manage material risks, if any, from cybersecurity threats. Our Vice President, IT also coordinates with consultants, auditors and other third parties to assess and manage material risks from cybersecurity threats.
Our Vice President, IT is informed about and monitors the prevention, detection, mitigation, and remediation of cybersecurity incidents pursuant to criteria set forth in our cybersecurity incident response plan and related processes. Further, our Vice President, IT is informed about and monitors the prevention, detection, mitigation, and remediation of cybersecurity incidents pursuant to reports prepared by consultants, auditors, and other third parties we retain, if necessary, to investigate cybersecurity incidents. From time to time, we conduct tabletop exercises to evaluate the strength of our controls and our ability to respond to cybersecurity incidents.
In accordance with criteria set forth in our cybersecurity incident response plan, our Vice President, IT or a delegate thereof informs our General Counsel and other members of senior management of cybersecurity incidents that may be material pursuant to escalation criteria set forth in our cybersecurity incident response plan and related processes.