SMITH MICRO SOFTWARE, INC. - (SMSI)

10-K Filing Date: February 26, 2024
Item 1C. CYBERSECURITY
Risk Management and Strategy
In our business, we recognize the risk that cybersecurity threats pose to our operations, and as such, cybersecurity is an important component of our overall risk management strategy. We have adopted and implemented an approach to identify and mitigate cybersecurity risks utilizing the National Institute of Standards and Technology’s Cybersecurity Framework (“NIST CSF”) as a guideline to help management identify, assess, reassess, and manage cybersecurity risks. We have developed and implemented cybersecurity programs and processes, including risk management and assessment programs, network segmentation, deployment of detection tools across our network, systems and databases, security and event monitoring capabilities, a detailed incident response plan and an incident response team. Our incident response team is led by our Chief Information Officer, who has over 22 years of experience in information technology leadership and information security, serving in roles of increasing responsibility within private and public companies, and also includes our General Counsel and our Chief Financial Officer.

We conduct an initial assessment on the cybersecurity profile of our third party vendors as they are onboarded and evaluate their cyber security programs and safeguards before utilizing them in our environments. We utilize cyber intelligence to provide continuous monitoring and scanning of systems to provide awareness if any of our vendors have security incidents. Within our purchasing and third-party vendor management programs, we require all vendors who handle our data as well as vendors who provide technology and data services to maintain certain security protections including compliance with applicable data protection laws and implementation of administrative, physical, and technical safeguards to protect our data, including storage, transmission, and access.

We have implemented advanced detection, prevention and protection capabilities, including practices and tools to monitor and mitigate threats. We provide at least quarterly company-wide cybersecurity information training and routinely communicate with employees about the potential for cybersecurity threats. We additionally deploy technical safeguards that are designed to protect our information systems from cybersecurity threats including firewalls, intrusion penetration and detection systems, anti-malware functionality and access controls, vulnerability assessments and cybersecurity threat intelligence. We continuously monitor and assess our information technology and data assets to detect anomalies and to respond quickly to threats that may arise. In certain instances, we engage third parties to conduct or assist us with conducting cybersecurity risk assessments, information security program assessments and external threat environment reviews.

We perform periodic assessments and testing of our policies, standards, processes, and practices in a manner intended to address cybersecurity threats and events. The results of such assessments are evaluated by management, and we adjust our cybersecurity policies, standards, processes, and practices as necessary based on the information provided by these evaluations.

Our incident response plan sets forth a process for detecting and responding to cybersecurity incidents, determining their scope and risk, developing an appropriate response to mitigate and remediate the incident, assessing materiality and communication or notification requirements, and reducing the likelihood of future incidents. In the event of a real or perceived cybersecurity incident the information technology team would, as soon as practicable, inform the incident response team, the members of which would then collaborate to assess a strategy and manage the risks.

Our risks of security breaches, improper access to or disclosure of our data, our customers’ data or their end users’ data, other hacking attacks on our systems or the third-party systems that we use, or other cyber incidents and privacy breaches could harm our reputation and adversely affect our business, are further disclosed in Item 1A. RISK FACTORS. To date, there have been no cybersecurity incidents which have materially affected, or have been reasonably likely to materially affect, the Company, including our business strategy, results of operations or financial condition. Further, we have a cyber
20

Table of Contents
risk insurance policy designed to help us mitigate risk exposure by providing top-tier external cybersecurity firms, as needed, and offsetting certain costs that may be involved with response, recovery and remediation after a cybersecurity breach or similar event.

Governance
The audit committee of the Company’s Board of Directors is responsible for overseeing management’s risk assessment and risk management processes designed to monitor and mitigate cybersecurity threats by reviewing with management the cybersecurity and other information technology risks, controls and processes, including the processes used to prevent or mitigate cybersecurity risks and respond to cybersecurity events. The Chief Information Officer, a member of the Company's incident response team, provides reports at least annually to the entire Board of Directors and other members of our senior management team as appropriate. These reports include updates on the Company’s cybersecurity risks and threats, the status of projects to strengthen our information security systems, assessments of the information security program, and the emerging threat landscape. Our Chief Information Officer also regularly updates senior management on our cybersecurity risk governance and management and the status of ongoing efforts to strengthen cybersecurity effectiveness. We also actively engage with key vendors, customers, and industry participants as part of our continuing efforts to evaluate and enhance the effectiveness of our information security policies and procedures.

As dictated by the incident response plan, our audit committee also will receive prompt and timely information regarding cybersecurity threats or incidents that may be material in nature from the incident response team, as well as ongoing updates regarding any such threat or incident until it has been mitigated, resolved, or otherwise addressed.