Serve Robotics Inc. /DE/ - (SBOT)
10-K Filing Date: February 29, 2024
Item 1C. Cybersecurity
Cybersecurity Risk Management and Strategy
We recognize the importance of assessing, identifying, and managing material risks associated with cybersecurity threats, as such term is defined in Item 106(a) of Regulation S-K. These risks include, among other things, operational risks; intellectual property theft; fraud; extortion; harm to employees or customers; violation of privacy or security laws and other litigation and legal risk; and reputational risks. We have implemented several cybersecurity processes, technologies, and controls to aid in our efforts to assess, identify, and manage such material risks.
Our process for identifying and assessing material risks from cybersecurity threats operates alongside our broader overall risk assessment process, covering all company risks. As part of this process, appropriate disclosure personnel will collaborate with subject matter specialists, as necessary, to gather insights for identifying and assessing material cybersecurity threat risks, their severity, and potential mitigations.
We also have a cybersecurity specific risk assessment process, which helps identify our cybersecurity threat risks. As part of this process, and our processes to provide for the availability of critical data and systems, maintain regulatory compliance, identify and manage our risks from cybersecurity threats, and to protect against, detect, and respond to cybersecurity incidents, as such term is defined in Item 106(a) of Regulation S-K, we undertake the below listed activities, among others:
● | closely monitor emerging data protection laws and implement changes to our processes designed to comply; |
● | undertake regular reviews of our consumer facing policies and statements related to cybersecurity; |
● | proactively inform our customers of substantive changes related to customer data handling; |
● | through policy, practice and contract (as applicable) require employees, as well as third parties who provide services on our behalf, to treat customer information and data with care; |
● | carry information security risk insurance that provides protection against the potential losses arising from a cybersecurity incident; |
● | maintain and follow an internal information security and incident response program; |
● | follow common industry security standards, such as having two-factor authentication for all accounts, using corporate VPN for service access; and |
● | minimize the period of time customers’ personal information is stored in our database. |
Our information security program coordinates the activities we take to prepare for, detect and respond to cybersecurity incidents, which include processes to triage, assess severity for, escalate, contain, investigate, and remediate the incident.
Our processes also address cybersecurity threat risks associated with our use of third-party service providers, including those in our supply chain or who have access to our customer and employee data or our systems. Third-party risks are included within our broader overall risk assessment process, as well as our cybersecurity-specific risk identification program, both of which are discussed above. In addition, cybersecurity considerations affect the selection and oversight of our third-party service providers. We perform diligence on third parties that have access to our systems, data or facilities that house such systems or data, and continually monitor cybersecurity threat risks identified through such diligence. Where necessary, we require those third parties that could introduce significant cybersecurity risk to us to agree by contract to manage their cybersecurity risks in specified ways, and to agree to be subject to cybersecurity audits, which we conduct as appropriate. Please see the risk factor entitled “We are subject to cybersecurity risks to our operational systems, security systems, infrastructure, integrated software in our products and data processed by us or third-party vendors.” in Part I, Item 1A. Risk Factors in this report for more information.
In the last three fiscal years, we have not experienced any material cybersecurity incidents and the expenses we have incurred from cybersecurity incidents were immaterial. We have not been faced with any penalties or settlements related to cybersecurity.
44
Cybersecurity Governance
Cybersecurity is an important part of our risk management processes and an area of increasing focus for our Board and management.
The audit committee of the Board is responsible for the oversight of risks from cybersecurity threats. Beginning fiscal year 2024, at least annually, the audit committee receives an overview from management of our cybersecurity threat risk management and strategy processes covering topics such as data security posture, results from third-party assessments, progress towards pre-determined risk-mitigation-related goals, our incident response plan, and material cybersecurity threat risks or incidents and developments, as well as the steps management has taken to respond to such risks. In such sessions, the audit committee will generally receive materials including a cybersecurity scorecard and other materials indicating current and emerging material cybersecurity threat risks, and describing the Company’s ability to mitigate those risks, and will discuss such matters with our VP of Software Platform. Members of the audit committee are also encouraged to regularly engage in ad hoc conversations with management on cybersecurity-related news events and discuss any updates to our cybersecurity risk management and strategy programs. Material cybersecurity threat risks will also be considered during separate Board meeting discussions of important matters like risk management, operational budgeting, business continuity planning, mergers and acquisitions, brand management, and other relevant matters.
Our cybersecurity risk management and strategy processes, which are discussed in greater detail above, are led by our VP of Software Platform. This individual has over 20 years of prior work experience in various roles involving managing information security, developing cybersecurity strategy, implementing effective information and cybersecurity programs in the healthcare and robotics industries.
The VP of Software Platform is informed about and monitor the prevention, mitigation, detection, and remediation of cybersecurity incidents through their management of, and participation in, the cybersecurity risk management and strategy processes described above, including the operation of our incident response plan.
The VP of Software Platform reports to the audit committee about cybersecurity threat risks, among other cybersecurity related matters.