STANDARD BIOTOOLS INC. - (LAB)
10-K Filing Date: March 01, 2024
Risk Management and Strategy
Standard BioTools regularly assesses risks from cybersecurity threats; monitors our information systems for potential vulnerabilities; and tests those systems pursuant to our cybersecurity policies, processes, and practices, which are integrated into our overall risk management program. To protect our information systems from cybersecurity threats, we use various security tools that are designed to protect against cyber security incidents, as well as to identify, escalate, investigate, resolve, and recover from security incidents in a timely manner. As part of this program, we conduct periodic assessments of our assets to evaluate the effectiveness of applicable security controls. These assessments are informed by industry standard frameworks (NIST, ISO) and include a review of our information security controls, policies and procedures to assess cybersecurity maturity against industry standards. In accordance with our IT Risk Management Program, we actively identify and assess risks based on the probability and potential impact to key business systems and processes. All risks identified will be assessed to identify the range of possible outcomes and risks will be prioritized by their level of importance. Each risk will be assigned to a risk owner who will track, monitor, and report on the status with a risk response aligned to the probability and impact of occurrence. Risks that are considered high are incorporated into our corporate risk management program overseen by the Audit Committee and our Board of Directors.
All employees receive cybersecurity training upon hire with at least annual training thereafter with job-specific topic considerations. Our Information Security team, consisting of the VP of Information Technology, Sr. Manager of Network Security and IT Security Manger, among others, engage third-party vendors to assist with providing timely cybersecurity threat alerts in addition to monitoring for cybersecurity threats and our defenses against cyberattacks. This monitoring includes the proactive identification of vulnerabilities in our systems through testing and threat intelligence awareness. The employees within our Information Security team and broader IT team who specialize in cybersecurity operations are responsible for coordinating and overseeing the activities of these third-party vendors.
Additionally, we require each third-party service provider with access to our internal systems, applications or data to certify that it has the ability to implement and maintain appropriate security measures, consistent with all applicable laws, to implement and maintain reasonable security measures in connection with their work with us, and to promptly report any suspected breach of its security measures that may affect our company. Our practice is to perform due diligence, including the completion of security questionnaires and risk assessments, as appropriate, on these third parties.
We describe whether and how risks from identified cybersecurity threats, including as a result of any previous cybersecurity incidents, have materially affected or are reasonably likely to materially affect us, including our business strategy, results of operations, or financial condition in our risk factor titled “Security incidents, loss of data, cyberattacks, and other information technology failures could disrupt our operations, damage our reputation, and adversely affect our business, operations, and financial results,” in Part I, Item 1A. "Risk Factors." Refer to this risk factor for additional description of cybersecurity risks and potential related impacts on our Company.
58
As previously disclosed, in early 2019, we became aware of a ransomware attack that infiltrated and encrypted certain information technology systems, including systems containing critical business data. The financial impact of this incident was not material, and there were no changes to the previously released financial results or financial statements. As previously disclosed, immediately following the discovery, we commenced an investigation and were able to recover access to the compromised systems and restore their operation without significant loss of business data within weeks of the incident. Following the incident, we implemented additional protective measures and internal control policies and procedures. We also retained a professional cybersecurity investigation firm to conduct a full forensic analysis of the incident, and concluded that there was no evidence of malware, persistence mechanisms or other compromised exchange on-premises accounts within the Company’s environment.
In early 2024, Standard BioTools completed a merger with SomaLogic Operating Co, Inc. Critical to integration activities has been a wholesale review of policies, procedures and tools relevant to the combined cybersecurity environment with the objective of deploying and maintaining those which serve to reinforce our security presence to the greatest extent. While these activities persist, it has been noted that the SomaLogic organization takes a comparable, if not more stringent, approach to their cyber and information security posture inclusive of their ongoing ISO27001 compliance certification.
Governance
While our management team is responsible for the day-to-day management of the risks Standard BioTools faces, our Board has the responsibility to oversee management’s processes for identifying, monitoring, and addressing enterprise risks, evaluate and discuss with management its assessments of matters relating to enterprise risks, and oversee and monitor management’s plans to address such risks. The Board takes an enterprise-wide approach to risk management designed to support the achievement of organizational objectives, including strategic objectives, to improve long-term organizational performance, and to enhance stockholder value. In order to understand the most significant risks faced by the Company and the steps being taken to manage those risks, Standard BioTools conducts quarterly enterprise risk management assessments, facilitated by the Company’s executive leadership team in collaboration with the internal audit function, which are presented by management at each quarterly Board meeting. The Board’s review of our business is an integral aspect of its assessment of management’s tolerance for risk and its determination as to the appropriate level of risk for our Company.
Although the Board has determined that enterprise risk management should be the responsibility of the Board as a whole, it has delegated responsibility to oversee specific areas of risk management to its committees. Our Audit Committee oversees and reviews the Company’s cybersecurity, data privacy, and other information technology risks, controls and procedures, including the Company’s plans to mitigate cybersecurity risks and respond to data breaches. At periodic meetings of the Board and its committees and in other meetings and discussions, management reports to the Board and its committees with respect to the most significant risks that could affect our business, including cybersecurity-related risks. Our Audit Committee also receives prompt and timely information regarding any cybersecurity incident to meet reporting thresholds, as well as ongoing updates regarding any such incident until it has been addressed.
Our cybersecurity risk management and strategy processes are led by our Chief Financial Officer and our Vice President of Information Technology. Our Vice President of Information Technology has over 18 years of work experience in various roles involving managing information security, developing cybersecurity strategy, implementing effective information and cybersecurity programs and has carried relevant degrees and certifications, including Certified Information Systems Auditor. These management team members are informed about and monitor the prevention, mitigation, detection, and remediation of cybersecurity incidents through their management of, and participation in, the cybersecurity risk management and strategy processes described above, including the operation of our incident response plan. As discussed above, these management team members report to the Audit Committee of our Board of Directors about cybersecurity threat risks, among other cybersecurity related matters, on an at least annual basis. Should a material breach be identified, as defined by the Board and the executive team, these management team members will notify the executive team and the Board and draft the required disclosure.