Inari Medical, Inc. - (NARI)
10-K Filing Date: February 29, 2024
Item 1C. CYBERSECURITY
Cybersecurity Risk Management and Strategy
In the normal course of business, we collect and store personal information and other sensitive information on our information systems. To protect our information, our existing cybersecurity policies require continuous monitoring and detection programs and network security precautions.
Our cybersecurity processes, technologies, and controls aid in our efforts to assess, identify, and manage material risks associated with cybersecurity threats. These risks include, among other things, operational risks; intellectual property theft; fraud; extortion; harm to employees or customers; violation of privacy or security laws and other litigation and legal risks and reputational risks.
Our enterprise risk management program incorporates risks related to cybersecurity threats alongside other company risks as part of our overall risk assessment process. We also employ a cybersecurity-specific risk assessment process. Our IT professionals collaborate with subject matter specialists, as necessary, to gather insights for identifying and assessing material cybersecurity threat risks, their severity, and potential mitigations. We employ a range of tools and services, including regular network and endpoint monitoring, vulnerability assessments, penetration testing, and tabletop exercises to inform our professionals of risk identification and assessment.
We also engage experts to attempt to infiltrate our information systems.
Additionally, we undertake the following activities as part of our processes to assess, identify and manage material risks from cybersecurity threats:
•monitor emerging data protection laws and implement changes to our processes as needed;
•conduct periodic cybersecurity management and incident training as well as social engineering training for employees and consultants involved in our systems and processes that handle sensitive data;
•require employees, as well as third-parties who provide services on our behalf, to treat customer information and data with care;
•perform tabletop exercises to simulate a response to a cybersecurity incident and use the findings to inform our processes and technologies; and
•leverage the NIST incident handling framework to help us respond, and recover when there is an actual or potential cybersecurity incident;
•carry information security risk insurance to provide protection against certain potential losses arising from a cybersecurity incident.
We also maintain an incident response plan, which outlines our procedures for detecting, responding to and recovering from cybersecurity incidents. The incident response plan includes processes to triage, assess severity for, escalate, contain, investigate, and remediate the cybersecurity threats and incidents, as well as to assist in complying with potentially applicable legal obligations and mitigating brand and reputational damage.
As part of the above processes, we engage with assessors, consultants, auditors, and other third-parties to review our cybersecurity program to help identify areas for continued focus, improvement and/or compliance.
We are continuing to build processes to address cybersecurity threat risks associated with our use of third-party service providers, including those in our supply chain or who have access to our customer and employee data or our systems. Third-party risks are included within our enterprise risk management assessment program, as well as our cybersecurity-specific risk identification program, both of which are discussed above. Additionally, we generally require those third parties that have greater access to sensitive information to agree by contract to manage their cybersecurity risks in specified ways, and to agree to be subject to cybersecurity audits, which we conduct as appropriate.
65
We do not believe risks from identified cybersecurity threats, including as a result of any previous cybersecurity incidents, have materially affected or are reasonably likely to materially affect us, including our business strategy, results of operations, or financial condition. However, we can give no assurance that we have detected or protected against all cybersecurity threats or incidents. Please refer to the risk factor titled “Failure to protect our information technology infrastructure against cyberattacks, security breaches, service interruptions, or data corruption could materially disrupt our operations and adversely affect our business and operating results”, included as part of our risk factor disclosures at Item 1A of this Annual Report on Form 10-K, for additional information about risks related to cybersecurity matters.
Cybersecurity Governance
Our cybersecurity risk management and strategy processes, which are discussed in greater detail above, are overseen by our cybersecurity committee, which is led by our Vice President, IT and is comprised of a cross-functional team which includes our Chief Financial Officer and General Counsel, along with other members of our IT, legal, finance and internal audit departments. To facilitate our cybersecurity risk management program, multidisciplinary teams throughout the Company are deployed to address cybersecurity threats and to respond to cybersecurity incidents. Our cybersecurity committee meets on a regular basis and is informed about and monitors the prevention, mitigation, detection, and remediation of cybersecurity incidents through their management of, and participation in, the cybersecurity risk management and strategy processes described above.
Through ongoing communications with these teams, our Vice President, IT, and the cybersecurity committee monitor the prevention, detection, mitigation and remediation of cybersecurity threats and incidents in real time, and report such threats and incidents to the audit committee on a quarterly basis and as otherwise necessary, and annually to the full Board and as the cybersecurity committee otherwise deems appropriate. Our Vice President, IT has over 20 years of prior work experience in various roles involving managing information security, developing cybersecurity strategy, implementing effective information and cybersecurity programs, managing data centers, designing networks and infrastructure. Our Vice President of IT oversees a team of experienced and certified individuals who holds various certificates relevant to information security.
The audit committee of our board of directors has oversight responsibility for our data security practices and cybersecurity threats, periodically reviewing and discussing with management our policies, practices and risks related to information systems, information security, data privacy and cybersecurity. At least annually, the entire board of directors receives an overview from management of our cybersecurity threat risk management and strategy processes covering topics such as data security posture, results from third-party assessments, progress towards pre-determined risk-mitigation-related goals, our incident response plan, and material cybersecurity threat risks or incidents and developments, as well as the steps management has taken to respond to such risks, and information security considerations arising with respect to our peers and other third parties. Material cybersecurity threat risks are also considered during separate Board meeting discussions of important matters such as enterprise risk management, operational budgeting, mergers and acquisitions, and other relevant matters.