Vericel Corp - (VCEL)
10-K Filing Date: February 29, 2024
Item 1C. Cybersecurity
Risk management and strategy
We have developed processes for assessing, identifying and managing material risks from cybersecurity threats. Our enterprise risk management system incorporates risks from cybersecurity threats alongside other risks to the Company. Our information technology team oversees and implements a range of tools and services designed to minimize the risk or impact of any breach or unauthorized disclosure of our confidential and sensitive data. These tools and services include, from time to time:
•monitoring emerging data protection laws and best practices regarding application security, access management, device protection, network management, and data loss prevention and recovery and implementing responsive changes to our processes;
•undertaking periodic reviews of our partner-facing policies and statements related to cybersecurity;
•utilizing intrusion detection and monitoring applications and multifactor authentication;
•conducting periodic table-top exercises with management, including our Executive Director, Corporate Information Systems, and testing of our data security, incident response policies and procedures;
•conducting periodic cybersecurity management and incident training for employees, including simulated phishing campaigns, which provide education on the risk of potential cybersecurity incidents, methods for identification of such incidents and appropriate responses; and
•requiring employees, as well as third-parties who provide services on our behalf, to treat information and data with care.
We also maintain an enterprise-wide incident response plan designed to secure the enterprise, mitigate the impact of a cybersecurity incident, recover and restore normal business operations, prevent similar future incidents and comply with applicable regulatory obligations arising from an incident. Management, including our Executive Director, Corporate Information systems, collaborates with our information technology team and technical partners to review at least annually our enterprise-wide incident response plan. Periodically, we engage assessors, consultants, auditors and other third parties, including by conducting exercises with an external partner to stress test our data security systems and practice company-wide response tactics. Our risk management processes also address cybersecurity threat risks associated with our use of third-party service providers, and third-party risks are included within our enterprise risk management program. In the event of a suspected or actual cybersecurity event, we have partnered with a globally recognized digital forensics investigation firm and outside counsel to provide services and support on a real-time basis to analyze any breach and secure both our data and information systems.
For a discussion of how any risks from cybersecurity threats could materially affect the Company, including our business strategy and results of operations, see “Risk Factors – A cyber security incident or data privacy issue could result in a loss of confidential data, give rise to remediation and other expenses, expose us to liability under HIPAA, consumer protection and privacy laws, or other common law theories, subject us to litigation and federal and state governmental inquiries, damage our reputation, and otherwise be disruptive to our business,” which is incorporated by reference into this Item 1C.
In the three most recently completed fiscal years, we have not experienced any material cybersecurity incidents. This includes penalties and settlements, of which there were none.
Governance
The Audit Committee of our Board oversees our risk management process, which includes risks from cybersecurity threats. The Audit Committee receives reports from management at least semi-annually, and more frequently if necessary, with respect to risks from cybersecurity threats. The Audit Committee also reviews cybersecurity and data security risks and mitigation strategies, along with program assessments, planned improvements and the status of information technology initiatives.
The entire Board receives annual training from outside experts concerning the current global cybersecurity threat landscape and corporate best practices for mitigating cybersecurity risks, as well as the Board’s legal, regulatory and fiduciary responsibilities from a cybersecurity standpoint. Additionally, the Board was engaged with management and outside experts throughout 2022 and 2023 in overseeing the development of the Company’s Enterprise Incident Response Plan. This plan is reviewed and updated on an annual basis.
55
Our Executive Director, Corporate Information Systems, along with our General Counsel, Information Technology management team, and Chief Operating Officer, oversees our approach to cybersecurity and is responsible for assessing and managing our material risks from cybersecurity threats. Our Executive Director, Corporate Information Systems, has served in this role for two years and has access to Vericel’s external information security firm and an industry-leading intelligence platform. This Executive Director manages and leads the internal Information Technology team to maintain and update the company’s technology infrastructure and corresponding safety measures.
Our Executive Director, Corporate Information Systems is informed about and monitors the prevention, detection, mitigation and remediation of cybersecurity incidents through the management of and participation in the cybersecurity risk management and strategy processes described above, including the operation of our Enterprise Incident Response Plan. Our General Counsel works closely with him and reports regularly to the Board and to the Audit Committee of the Board, covering the risks from cybersecurity threats.