ESTABLISHMENT LABS HOLDINGS INC. - (ESTA)
10-K Filing Date: March 04, 2024
ITEM 1C. CYBERSECURITY
The Audit Committee oversees the cybersecurity program and receives reports from management regarding the Company's cybersecurity policies and procedures on an annual basis. The Audit Committee also receives reports from management on any cybersecurity incidents that may occur.
As part of our cybersecurity program, our IT management reports to the Company's Chief Operating Officer and Chief Executive Officer and is responsible for assessing and managing cybersecurity risks and developing and implementing our cybersecurity program. Our current Head of Global IT has more than 15 years of experience in technology and process improvements, which includes the execution of digital business strategies within highly regulated industries. Our IT management has obtained relevant experience in various sectors such as technology firms, financial institutions, and consulting firms and have actively engaged in continuous learning and professional development initiatives to stay updated on evolving cybersecurity threats and trends. This includes participating in industry conferences, workshops, training programs, and becoming members of professional cybersecurity organizations.
Our cybersecurity program is designed to identify, assess, and mitigate risks from cybersecurity threats, and includes the following elements:
•a risk assessment process to identify and assess cybersecurity risks;
•a risk mitigation strategy to address cybersecurity risks;
•an incident response plan to identify, respond to, mitigate and remediate cybersecurity incidents;
•an awareness and training program to educate employees about cybersecurity risks;
•a procedure to procure information technology services, including cloud computing and data storage, from third-party providers with sufficient cybersecurity provisions, and to monitor their cybersecurity process on an ongoing basis; and
•periodic testing and evaluation by external parties we engage to assess the effectiveness of the cybersecurity intrusion protections and make recommendations to improve the security of our information systems.
As a result, we have implemented a multi-layered cybersecurity program that includes measures to protect our information systems, including firewalls, network access controls, intrusion detection systems, phishing campaigns, security awareness training and monitoring, network operation center, security operation center, and data encryption, and to monitor our information systems to detect potential cybersecurity incidents, including through the use of automated detection software. Through these processes and the other processes described above, including our incident response plan, our management is informed about cybersecurity threats and incidents affecting us.
Our company has implemented robust processes to assess, identify, and manage material cybersecurity risks effectively. These processes are an integral component of our overall risk management system, ensuring that cybersecurity concerns are comprehensively addressed within our broader risk management framework. Risk assessment, identification, and management processes are seamlessly integrated into our overall risk management system. The processes for assessing, identifying, and managing cybersecurity risks are aligned with our strategic objectives and business goals. We foster cross-functional collaboration and communication to facilitate the integration of cybersecurity risk management into various business functions and processes.
We also review our cybersecurity practices, their effectiveness, and the cybersecurity practices of the third-parties we rely on, on an ongoing basis and make changes as necessary to address new risks. However, we cannot guarantee that our efforts will be successful in preventing all cybersecurity incidents.
We are not aware of any risks from cybersecurity threats, including as a result of previous cybersecurity incidents, that have materially affected or are reasonably likely to materially affect us, including our business strategy, results of operations or financial condition. We can give no assurance that we have detected or protected against all cybersecurity threats or incidents. We are subject to a variety of cybersecurity risks, which could have a material adverse effect on our business, financial condition, and results of operations. See the “Risks Related to
69
Intellectual Property and Data Security” section of Item 1A. Risk Factors for additional discussion on risks affecting our information systems.