Silk Road Medical Inc - (SILK)
10-K Filing Date: February 28, 2024
Background
Cybersecurity, compliance, data privacy, and data protection are essential to our business. In the ordinary course of business, we collect and store certain confidential information, such as the specifications of our products, information about our employees, customers, contractors, vendors, and suppliers, and information about TCAR procedures, which in some instances may include identifiable patient information. To safeguard this information, we have implemented a cybersecurity defense-in-depth approach leveraging the Center for Internet Security, Inc. (CIS) Critical Security Controls (CSC) framework designed to identify, meet, and defeat dangerous cyber attacks in order to protect confidential information, mitigate data compromise and breaches, and provide IT resiliency. The CIS CSC framework defines five
critical areas to build robust cybersecurity defense posture. We have developed and maintain a collection of policies and procedures to implement and support this cybersecurity framework.
Role of Management and Board Oversight
Our cybersecurity team is comprised of individuals with experience in cybersecurity who hold cybersecurity-specific credentials and certifications. The team members belong to relevant professional organizations and receive continuing education and certification to stay abreast of emerging trends and cybersecurity best practices.
We have established a Technology Steering Committee, or TSC, containing members of our senior management team to provide governance and strategic direction for managing cyber risks, maintaining IT regulatory compliance, and optimizing technology initiatives for alignment with our company goals and objectives. The TSC convenes quarterly, and meetings include updates on cybersecurity matters provided by the cybersecurity leader.
Our board of directors has delegated to the audit committee, which is comprised of entirely independent directors, the responsibility to oversee our cybersecurity programs and cyber-related risks. Specifically, audit committee delegation under its formal written charter includes the responsibility to oversee the integrity of our IT systems, processes and data, and review and assessment with management (i) the adequacy of controls and security for our IT systems, processes and data, and (ii) our contingency plans in the event of a breakdown or security breach affecting our IT systems.
The cybersecurity team reports to our Chief Accounting Officer, which in turn reports to our Chief Financial Officer. Both officers regularly attend audit committee meetings where cybersecurity is discussed and the audit committee is updated on security risks and key initiatives at least twice per year by the senior management team. The TSC is responsible for providing cybersecurity risk management oversight and approving the budget to fund our IT and cybersecurity programs. An important purpose of these management updates is to inform the audit committee of any potential risks and remediation tactics related to our cybersecurity posture, IT systems, and data privacy.
Use of Consultants and Advisors
We engage with a range of external experts, including cybersecurity assessors, consultants, auditors, and legal counsel in evaluating and testing our risk management systems. This enables us to leverage specialized knowledge and insights, ensuring our cybersecurity strategies and processes remain current.
We have engaged a managed security services company to provide 24x7x365 monitoring to detect cyber threats and support us in containing and responding to cyber threats. The services provided by the managed security services company include monitoring for and updating us regarding emerging cybersecurity threats, real-time monitoring of our firewalls and other security controls, and support for the development and execution of our Incident Response Plan. The managed security services company performs monthly vulnerability scanning and generates reports. Our cybersecurity team has access to dashboards providing status updates on the managed security services company’s cybersecurity-related activity, meets regularly with the managed security services company’s staff, and receives regular reporting from the managed security services company.
We also receive and participate in other third-party cybersecurity assessments, such as: quarterly vulnerability scanning as part of our PCI DSS compliance requirements, annual network assessments, annual penetration testing, and vulnerability scans as part of our cyber insurance underwriting process.
In addition, we engage specialized consultants and third-party managed service providers on a project-specific basis to assist us with projects that will improve our IT infrastructure, strengthen our security posture, and improve our cyber readiness.
Cybersecurity Strategy and Risk Management
We have integrated cybersecurity risk management into our broader risk management framework to promote a company-wide culture of cybersecurity risk management. This integration ensures that cybersecurity considerations are an integral part of our decision-making processes at every level. Our cybersecurity program is designed for assessing, identifying and managing material risks from cybersecurity threats to the confidentiality, integrity, and availability of our assets and information. Risk management is embedded into our IT processes and we continuously monitor risk by evaluating emerging threats and vulnerabilities.
We have established security controls based on the CIS CSC framework. Key components of our cybersecurity program include, but are not limited to, asset management, encryption, data loss prevention technology, access controls,
multi-factor authentication, vulnerability management, independent penetration testing, email and web gateway protection, multi-faceted backup and data recovery solutions, anti-malware, firewalls, IDS and IPS, auditing and monitoring, regular policy updates, security awareness training, anti-phishing campaigns, and third-party risk management. We also subscribe to third-party threat intelligence tools and services that support monitoring, analyzing, and responding to emerging risks and threats.
We have established an Incident Response Plan and a Security Operations Center to manage any cyber incident. We have retained a third-party incident response firm to support incident detection, management, and mitigation. We also maintain appropriate levels of cyber insurance. We implement processes to oversee and manage the risks associated with third-party service providers. We conduct security assessments of critical third-party providers before engagement and maintain ongoing monitoring to ensure compliance with our cybersecurity standards. The monitoring includes ongoing assessments by our Information Security team. This approach is designed to mitigate risks related to data breaches or other security incidents originating from third parties.
At least annually, we conduct information security awareness training for all employees. In addition, we have retained a third-party vendor to provide regular online awareness training modules for our employees. Each module contains a video extract followed by a short quiz.
To date, we have not experienced any material security incidents or data breaches as a result of a compromise of our information systems and are not aware of any cybersecurity incidents that have had a material impact or are reasonably likely to materially affect our business strategy, operating results, or financial condition.