BIODESIX INC - (BDSX)

10-K Filing Date: March 01, 2024

1C. Cybersecurity.

Risk Management and Strategy

Our business relies on secure and continuous processing of information and the availability of our IT networks and IT resources, as well as critical IT vendors that support our technology, research and other data processing operations. We have integrated cybersecurity risk management into our broader risk management framework. This integration ensures that cybersecurity considerations are an integral part of our decision-making processes at every level. Our IT department continuously evaluates and addresses cybersecurity risks in alignment with our business objectives and operational needs. The Company maintains comprehensive security policies and procedures. These policies and procedures include but are not limited to security and data privacy training for staff, physical security, and electronic data security. Our electronic data security policies and procedures follow HIPAA, GDPR, SEC guidelines, and examples encompass data access controls, data privacy controls, password controls, data encryption, and incident response including an in-depth process for determining materiality. On top of the policies, our network is protected via firewall implementation and cyber-threat monitoring which includes 24/7 vulnerability scanning and 24/7 monitoring using extended detection and response for advanced intrusion detection.

The Company also engages with a range of external experts in evaluating and testing our risk management systems. These partnerships allow us to leverage specialized knowledge and insights, ensuring our cybersecurity strategies and processes remain at the forefront of industry best practices. Our collaboration with these third-parties includes audits, threat assessments, and consultation on security enhancements.

The Company is also aware of the risks associated with third-party service providers. To oversee these risks, we conduct thorough security assessments of all third-party providers before engagement and maintain ongoing monitoring to ensure compliance with our cybersecurity standards.

Current Cybersecurity Risks

As of the date of this Annual Report on Form 10-K, the Company has not experienced any cybersecurity threats that have materially affected or are reasonably likely to materially affect the Company. In the event of a cybersecurity incident, the Company is equipped with a well-defined incident response plan. This plan includes immediate actions to mitigate the impact and long-term strategies for remediation and prevention of future incidents. See "Risk Factors— We may face additional costs, loss of revenue, significant liabilities, harm to our brand, decreased use of our products or services and business disruption if there are any security or data privacy breaches or other unauthorized or improper access."

Management and Board Oversight

Our management is responsible for day-to-day risk management activities. Our Board of Directors, acting directly and through its committees, is responsible for the oversight of our risk management. The Nominating and Governance Committee monitors our cybersecurity risk profile, receives periodic updates from management on all matters related to cybersecurity and reports to our full Board of Directors on an annual basis or as necessary. The Nominating and Governance Committee is composed of members with diverse expertise that allows them to oversee cybersecurity risks effectively.

Management is involved in assessing and managing material cybersecurity risks and incidents through dialogue with our Information Security Officer. Our Information Security Officer brings expertise to this role through his in-depth knowledge and experience in technology management and cybersecurity. Our Information Security Officer is continually informed about the latest developments in cybersecurity. This is crucial for the effective prevention, detection, mitigation and remediation of cybersecurity incidents, and allows him to regularly inform our Chief Executive Officer and Chief Financial Officer of any and all aspects of our business related to cybersecurity and information technology.

Our Chief Executive Officer, Chief Financial Officer and Information Security Officer regularly report to the Nominating and Governance Committee to ensure effective and efficient oversight of our cybersecurity threats and material risks, and to assist in proper risk management. Significant cybersecurity matters and strategic risk management decisions will be escalated from the Nominating and Governance Committee to the Board of Directors, ensuring that there is comprehensive oversight and the full Board of Directors can provide guidance on critical cybersecurity issues.