Shockwave Medical, Inc. - (SWAV)
10-K Filing Date: February 26, 2024
Item 1C. Cybersecurity.
Our board of directors (the “Board”) recognizes the critical importance of maintaining the trust and confidence of our customers, clients, business partners and employees. The Board is actively involved in oversight of our risk management program, and cybersecurity represents an important component of our overall approach to enterprise risk management (“ERM”). Our cybersecurity policies, standards, processes and practices are fully integrated into our ERM program and are based on recognized frameworks established by the National Institute of Standards and Technology Cybersecurity Framework (NIST-CSF), the International Organization for Standardization Information Security Management System Standard (ISO 27001) and other applicable industry standards. In general, we seek to address cybersecurity risks through a comprehensive, cross-functional approach that is focused on preserving the confidentiality, security and availability of the information that we collect and store by identifying, preventing and mitigating cybersecurity threats and effectively responding to any cybersecurity incidents.
Risk Management and Strategy
As one of the critical elements of our overall ERM approach, our cybersecurity program is focused on the following key areas:
Governance: The Board’s oversight of cybersecurity risk management is supported by the Audit Committee of the Board (the “Audit Committee”), which regularly interacts with our ERM function, our Chief Information Security Officer (“CISO”), our Chief Digital & Information Officer (“CDIO”) and other members of management involved in cybersecurity risk management.
Collaborative Approach: We have implemented a comprehensive, cross-functional approach to identifying, preventing and mitigating cybersecurity threats and incidents, while also implementing controls and procedures that provide for the prompt escalation of certain cybersecurity incidents so that decisions regarding the public disclosure and reporting of such incidents can be made by management in a timely manner.
Safeguards: We deploy technical and non-technical safeguards that are designed to protect our information systems from cybersecurity threats, including firewalls, intrusion prevention and detection systems, anti-malware functionality and access controls, which are evaluated and improved through vulnerability assessments and cybersecurity threat intelligence. We operate a security operations center which monitors our environment in a continuous manner.
Incident Response and Recovery Planning: We have established and maintain business continuity and technical recovery plans of critical systems and resources in the event of a cybersecurity incident that fully address our response to a cybersecurity incident, and such plans are tested and evaluated on a regular basis. We also maintain a cybersecurity insurance policy, though the costs related to cybersecurity threats or disruptions may not be fully insured.
Third-Party Risk Management: We maintain a third-party cyber risk management program to identify and oversee cybersecurity risks presented by third party providers, including vendors, service providers and other external users of our systems, as well as the systems of third parties that could adversely impact our business in the event of a cybersecurity incident affecting those third-party systems. In the event we identify a risk, we communicate the risk to the third party and monitor the remediation. In the event of a critical risk that may cause imminent or material damage to us or our customers, our policy provides that we cease operating with such third party until the risk is remediated.
Education and Awareness: We provide regular, mandatory training, including ongoing end-user security awareness training and attack simulation assessments, for personnel regarding cybersecurity threats to equip our personnel with effective tools to address cybersecurity threats, and to communicate our evolving information security policies, standards, processes and practices.
We engage in the periodic assessment and testing of our policies, standards, processes and practices that are designed to address cybersecurity threats and incidents, including through a formal annual risk assessment. These efforts include a wide range of activities, including external audits, assessments, tabletop exercises, threat modeling, vulnerability testing and other exercises focused on evaluating the effectiveness of our cybersecurity measures and planning. We regularly engage third parties to perform assessments on our cybersecurity measures, including information security maturity assessments, audits, endpoint reduction response, security operation centers, vulnerability and patch management programs and independent reviews of our information security control environment and operating effectiveness. The results of such assessments, audits and reviews are reported to the Audit Committee and the Board, and we adjust our
80
cybersecurity policies, standards, processes and practices as necessary based on the information provided by these assessments, audits and reviews.
We have not identified risks from known cybersecurity threats that we believe have materially affected or are reasonably likely to materially affect us, including our operations, business strategy, operating results, or financial condition. We will continue to monitor and assess our cybersecurity risk management program as well as invest in and seek to improve such systems and processes as appropriate. If we were to experience a material cybersecurity incident in the future, such incident may have a material effect, including on our operations, business strategy, operating results, or financial condition. For more information regarding cybersecurity risks that we face and potential impacts on our business related thereto, see the section titled “Risk Factors” in Part I, Item 1A of this Annual Report on Form 10-K.
Governance
The Board, in coordination with the Audit Committee, oversees our ERM process, including the management of risks arising from cybersecurity threats. The Audit Committee receives quarterly reports, and the Board is briefed at least once annually, on cybersecurity risks from the CISO, which address a wide range of topics including the status and specific metrics on our cybersecurity program, recent developments, evolving standards and regulations, vulnerability assessments, third-party and independent reviews, the threat environment, technological trends, and information security considerations arising with respect to our peers and third parties. The Board and the Audit Committee would receive prompt and timely information regarding any future cybersecurity incident that meets established reporting thresholds, as well as ongoing updates regarding any such incident until it has been addressed. The Board and the Audit Committee discuss our approach to cybersecurity risk management with our CISO, CDIO and other members of management involved in cybersecurity risk management regularly.
The CISO and CDIO work collaboratively across the business to implement a program designed to protect our information systems from cybersecurity threats and to promptly respond to any future cybersecurity incidents in accordance with our incident response and recovery plans. To facilitate the success of our cybersecurity risk management program, multidisciplinary teams throughout the organization are deployed to address cybersecurity threats and to respond to cybersecurity incidents. Through ongoing communications with these teams, the CISO and CDIO are informed about, and monitor the prevention, detection, mitigation and remediation, of cybersecurity threats and incidents in real time and reports such threats and incidents to the Audit Committee when appropriate.
Our CISO has served in various leadership roles in information security, including serving as the Chief Information Security Officer at two other companies. Our CISO holds an undergraduate degree in Information Systems and a master’s degree in Cybersecurity and Information Assurance and has obtained multiple professional security certifications including Certified Chief Information Security Officer. Our CDIO holds an undergraduate degree in Management Information Systems with minors in Computer Science and Economics and has served in various leadership roles in information technology, including serving as the Chief Information Officer of two public companies.