Xometry, Inc. - (XMTR)

10-K Filing Date: February 29, 2024
Item 1C. Cybersecurity.

 

Risk Management and Strategy

We have implemented and maintain various information security processes designed to identify, assess and manage material risks from cybersecurity threats to our critical computer networks, third party hosted services, communications systems, hardware and software, and our critical data, including intellectual property, confidential information that is proprietary, strategic or competitive in nature, and our customer’s confidential information (“Information Systems and Data”).

Our information security function, which is led by our Chief Technology Officer (“CTO”), helps identify, assess, and manage our cybersecurity threats and risks. We identify and assess risks from cybersecurity threats by monitoring and evaluating our threat environment using various methods including using manual and automated tools, analyzing reports of threats and actors, evaluating our risk profile, conducting audits, conducting threat and vulnerability assessments, and performing tabletop incident response exercises.

Depending on the environment and system, we implement and maintain various technical, physical, and organizational measures, processes, standards, and policies designed to manage and mitigate material risks from cybersecurity threats to our Information Systems and Data, including incident detection and response, a vulnerability management policy, business continuity plans, risk assessments, encryption of certain data, access controls, employee training, penetration testing, cybersecurity insurance, systems monitoring and dedicated cybersecurity staff.

39


 

Our assessment and management of material risks from cybersecurity threats are integrated into our overall risk management processes. Certain information about our assessment and management of material risks from cybersecurity threats is included in risk management reports, as applicable, to senior leadership and the Audit Committee.

We use third-party service providers to assist us from time to time to identify, assess, and manage material risks from cybersecurity threats, including for example, professional services firms, cybersecurity consultants and software providers, managed cybersecurity service providers, penetrating testing firms, and forensic investigators.

We use third-party service providers to perform a variety of functions throughout our business, such as application providers, hosting companies, and third-party manufacturing organizations. Depending on the nature of the services provided, the sensitivity of the Information Systems and Data at issue, and the identity of the provider, our vendor management process may involve different levels of assessment designed to help identify cybersecurity risks associated with a provider (such as by reviewing certain vendor’s security assessments or reports) and impose contractual obligations related to cybersecurity on the provider.

For a description of the risks from cybersecurity threats that may materially affect us and how they may do so, see our risk factors under Part 1. Item 1A. Risk Factors in this Annual Report on Form 10-K, including the risk factor titled “If our information technology systems or those of our third-party partners or service providers or our data are or were compromised, we may experience adverse consequences resulting from such compromise, including but not limited to regulatory investigations or actions, litigation, fines and penalties, disruption to our business, harm to our reputation and brand, and exposure to liability.”

 

Governance

Our board of directors addresses our cybersecurity risk management as part of its general oversight function. The Audit Committee of our board of directors is responsible for overseeing our cybersecurity risk management processes, including oversight and mitigation of risks from cybersecurity threats.

Our cybersecurity risk assessment and management processes are implemented and maintained by certain members of management, including (i) our CTO, Mr. Leibel, who has previously served as the Senior Director of Engineering at various large technology companies and holds a Master of Information Technology degree from Virginia Tech; and (ii) our Vice President of Information Technology and Security, Mr. Brendan Hamilton, who has previously worked as a Vice President at an international bank with supervisory responsibility for cybersecurity issues and is a Certified Information Systems Security Professional.

Our Chief People Officer, CTO and recruiting personnel are responsible for hiring appropriate personnel, helping to integrate cybersecurity risk considerations into our overall risk management strategy, and communicating key priorities to relevant personnel. Our management, including our CTO and Chief Financial Officer, is responsible for approving budgets, helping prepare for cybersecurity incidents, approving cybersecurity processes, and reviewing security assessments and other security-related reports.

Our cybersecurity incident response processes are designed to escalate certain cybersecurity incidents to members of management depending on the circumstances, including our Chief Executive Officer, CTO, Chief Financial Officer, and General Counsel, who works with our incident response team to help mitigate and remediate cybersecurity incidents of which they are notified. In addition, our incident response processes include reporting to the Audit Committee of the board of directors for certain cybersecurity incidents.

The Audit Committee receives periodic reports from the CTO concerning our significant cybersecurity threats and risk and the processes we have implemented to address them. Our board of directors receives such reports periodically from the Audit Committee and from our CTO. The board of directors also receive various reports, summaries or presentations related to cybersecurity threats, risk, and mitigation.