STAAR SURGICAL CO - (STAA)

10-K Filing Date: February 27, 2024
ITEM 1C.Cybersecurity

Risk Management and Strategy

We have established policies and processes for assessing, identifying, and managing material risk from cybersecurity threats, and we have integrated these processes into our overall risk management program. We assess material risks from cybersecurity threats, including any potential unauthorized occurrence on or conducted through our information systems that may result in adverse effects on the confidentiality, integrity, or availability of our information systems or any information residing therein.

We have adopted as the governance framework for our cybersecurity program the National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF). We use this framework as a guide to help us identify, assess, respond to, and manage cybersecurity risks relevant to our business. Our cybersecurity risk management program includes:

periodic risk assessments designed to help identify material cybersecurity risks to our critical systems, information, and our broader enterprise information technology environment;
skilled internal information security and data privacy personnel, who support our cybersecurity risk assessment processes, our security controls, and our response to cybersecurity incidents;
external service providers, where appropriate, to monitor, assess, test, or otherwise assist with aspects of our security controls, and to support risk mitigation efforts;
training for our employees on cybersecurity awareness and the importance of protecting information assets, including “phishing” tests;
periodic reviews of key cybersecurity policies, and updating as needed;
a cybersecurity incident response plan that includes procedures for responding to cybersecurity incidents; and
a third-party risk management process for service providers, suppliers, and vendors.

We have not identified any risks from known cybersecurity threats, including as a result of any prior cybersecurity incidents, that have materially affected or are reasonably likely to materially affect us, including our business strategy, results of operations, or financial condition.

Governance

Our Board considers cybersecurity risk as part of its risk oversight function and has delegated oversight of cybersecurity, including data security risk mitigation efforts, to the Audit Committee. Under the Audit Committee charter, the Audit Committee has responsibility for discussing with management the Company’s policies with respect to risk assessment and risk management, including guidelines and policies to govern the process by which the Company’s exposure to risk is handled.

The Audit Committee receives reports from management on the Company’s cybersecurity risks and the Company’s cybersecurity program. In addition, management updates the Audit Committee, as necessary, regarding any material cybersecurity incidents.

Our management team is responsible for assessing and managing our material risks from cybersecurity threats. STAAR’s Chief Information Officer leads a team of information security professionals who have primary responsibility for our overall cybersecurity risk management program and supervises both our internal personnel and our retained external cybersecurity consultants. This team collaborates with STAAR’s legal and internal audit functions to address cybersecurity and data privacy risks. The Company’s internal information security and data privacy specialists have certifications from various organizations, including ISC2 (Certified Information Security Systems Professional or CISSP), Global Information Assurance (GIAC), the Computing Technology Industry Association (CompTIA) and International Association of Privacy Professionals (IAPP).

30

 

Our management team oversees efforts to prevent, detect, mitigate, and remediate cybersecurity risks and incidents through various means, which may include threat briefings from internal personnel and external service providers, as well as alerts and reports produced by security tools deployed in the information technology environment.

Back SEC Filing