NeuroMetrix, Inc. - (NURO)

10-K Filing Date: March 01, 2024
ITEM 1C. CYBERSECURITY

We operate in the medical device industry, which is subject to various cybersecurity risks that could adversely affect our business, financial condition, and results of operations, including intellectual property theft; fraud; extortion; harm to employees or customers; violation of privacy laws and other litigation and legal risk; and reputational risk. We have initiated a risk-based approach designed to identify and assess the cybersecurity threats that could affect our business and information systems. Our strategy is to maintain a high level of risk awareness, identify critical IT assets, regularly update or replace those assets, and systematically perform vulnerability testing, and to promptly remediate deficiencies. Our cybersecurity program is aligned with industry standards and best practices, such as the National Institute of Standards and Technology (NIST) Cybersecurity Framework.

We are adopting various tools and methodologies to manage cybersecurity risk that will be tested on a regular cadence. We are also in the process of monitoring and evaluating our cybersecurity posture and performance on an ongoing basis through scheduled vulnerability scans, penetration tests and threat intelligence feeds. We require third-party service providers with access to personal, confidential or proprietary information to implement and maintain comprehensive cybersecurity practices consistent with applicable legal standards and industry best practices.

29


Our business depends on the availability, reliability, and security of our information systems, networks, data, and intellectual property. Any disruption, compromise, or breach of our systems or data due to a cybersecurity threat or incident could adversely affect our operations, customer service, product development, and competitive position. They may also result in a breach of our contractual obligations or legal duties to protect the privacy and confidentiality of our stakeholders. Such a breach could expose us to business interruption, lost revenue, ransom payments, remediation costs, liabilities to affected parties, cybersecurity protection costs, lost assets, litigation, regulatory scrutiny and actions, reputational harm, customer dissatisfaction, harm to our vendor relationships, or loss of market share.

Our Board of Directors, the Audit Committee and the Cyber Committee, which is chaired by the Chief Executive Officer and staffed by the IT Director, Chief Financial Officer, Corporate Controller and other management employees, are responsible for overseeing cybersecurity risks and risk management. The Board has assigned oversight responsibility for cybersecurity to the Audit Committee, which is in regular communication with management concerning cybersecurity threats and incidents. The Audit Committee reviews management assessment of cyber controls, control testing and outcomes. The Audit Committee is responsible for keeping the Board informed of significant cybersecurity developments including incidents which might potentially have a material effect on the Company. The Cyber Committee is responsible for evaluating cyber threats, the potential effect on operations and scope of the threat. Threats or incidents which the Cyber Committee has judged to have potentially material consequences will be communicated to the Audit Committee. A meeting of the full Board of Directors, including the Audit Committee, will be convened within 48 hours of the Cyber Committee assessment. If the Board determines that the threat or incident is material, Form 8-K will be finalized and filed within four days following the determination, as required under SEC rules.

The Company is currently in the process of implementing a more formalized cybersecurity program.