Axonics, Inc. - (AXNX)
10-K Filing Date: February 29, 2024
Item 1C. Cybersecurity.
Risk management and strategy
We have adopted the National Institute of Standards and Technology Cybersecurity Framework (NIST CSF) and established policies and processes for assessing, identifying, and managing material cybersecurity risks based upon cybersecurity threats, vulnerabilities, likelihood, and impact, and have integrated these processes into our overall risk management systems and processes, which are overseen by our Chief Operating Officer and Chief Financial Officer. We routinely assess cybersecurity risks that may result in adverse effects on the confidentiality, integrity, or availability of our information systems or any information residing therein.
We conduct annual assessments to identify cybersecurity risks based on known threats and vulnerabilities, as well as assessments after any material change in our business practices that may affect information systems exposed to such cybersecurity risks. These risk assessments include identification of reasonably foreseeable internal and external threats and vulnerabilities, the likelihood that such threats will occur, and the impact on our business that could result from such occurrences. We then evaluate the sufficiency of existing policies, procedures, systems, and safeguards in place to manage such risks.
Following these risk assessments, we adjust existing and implement new controls responsive to changes in the risk environment and maintain those controls to mitigate and minimize identified risks. This process includes reasonably addressing any identified gaps in existing safeguards and regularly monitoring the effectiveness of our controls over time. Primary responsibility for assessing, monitoring and managing our cybersecurity risks rests with the Director of IT who reports to our Chief Operating Officer, to manage the risk assessment and mitigation process.
As part of our overall risk management system, we monitor and test our controls and train our employees on these controls, in collaboration with IT and management. Personnel at all levels and departments are made aware of our cybersecurity policies through trainings.
We engage consultants, or other third parties, in connection with our risk assessment processes. These service providers assist us to design and implement our cybersecurity policies and procedures, as well as to monitor and test our safeguards. We require each third-party service provider to certify that it has the ability, consistent with all applicable laws, to implement and maintain reasonable security measures in connection with their work with us, and to promptly report any suspected breach of its security measures that may affect the Company.
We face a number of cybersecurity risks in connection with our business. Although such risks have not materially affected us, including our business strategy, results of operations or financial condition, to date, we have, from time to time, experienced threats to and breaches of our data and systems, including malware and computer virus attacks. For additional information regarding risks from cybersecurity threats, please refer to Item 1A, “Risk Factors,” in this Annual Report on Form 10-K.
Governance
One of the key functions of our board of directors is informed oversight of our risk management process, including risks from cybersecurity threats and vulnerabilities. Our board of directors is responsible for monitoring and assessing strategic risk exposure, and our executive officers are responsible for the day-to-day management of the material risks we face. Our board of directors administers its cybersecurity risk oversight function directly as a whole, as well as through the audit committee. Our audit committee is responsible for evaluating our cyber security program, cyber risk environment, and related risks and, with management, reporting findings and actions under our cyber security program and cyber risk environment to the full board of directors.
Our Chief Financial Officer, Chief Operating Officer and Director of IT have substantial relevant expertise in the life sciences industry and formal training in the areas of information security and cybersecurity risk management, and are primarily responsible to assess and manage our material risks from cybersecurity threats with assistance from third-party service providers.
Our Chief Financial Officer and Chief Operating Officer oversee our cybersecurity policies and processes, including those described in “Risk Management and Strategy” above. The cybersecurity risk management program includes tools and activities to identify, protect against, detect, respond to, and recover from current and emerging cybersecurity risks, and plans and strategies to address those risks and mitigate harm caused by cyber incidents.
63
Our Chief Financial Officer provides periodic briefings to the audit committee regarding the Company’s cybersecurity risks and activities, including any recent cybersecurity incidents and related responses, cybersecurity systems testing, activities of third parties, and the like. Our audit committee provides regular updates to the board of directors on such reports.