VAPOTHERM INC - (VAPO)
10-K Filing Date: February 22, 2024
We understand the importance of preventing, assessing, identifying, and managing material risks associated with cybersecurity threats. Cybersecurity processes to assess, identify and manage risks from cybersecurity threats have been incorporated as a part of our overall risk assessment process and have been embedded in our operating procedures, internal controls and information systems. On a regular basis, we implement into our operations these cybersecurity processes, technologies, and controls to assess, identify and manage material risks.
Specifically, we engage a third-party cybersecurity firm to assist with network and endpoint monitoring, cloud system monitoring and assessment of our incident response procedures. Further, we employ periodic penetration testing and tabletop exercises to inform our risk identification and assessment of material cybersecurity threats.
To manage our material risks from cybersecurity threats and to protect against, detect, and prepare to respond to cybersecurity incidents, we:
Our incident response plan coordinates the activities that we and our third-party cybersecurity provider take to prepare to respond and recover from cybersecurity incidents, which include processes to triage, assess severity, investigate, escalate, contain, and remediate an incident, as well as to comply with potentially applicable legal obligations and mitigate brand and reputational damage.
As part of the above processes, we engage with consultants to review our cybersecurity program to help identify areas for continued focus, improvement, and compliance.
Our processes also include assessing cybersecurity threat risks associated with our use of third-party services providers in normal course of business use, including those in our supply chain or who have access to our customer and employee data or our systems. Third-party risks are included within our risk management process discussed above. In addition, we assess cybersecurity considerations in the selection and oversight of our third-party services providers, including due diligence on the third parties that have access to our systems and facilities that house systems and data.
Management has implemented risk management structures, policies and procedures, and manages our risk exposure on a day-to-day basis. We have a cybersecurity organization within our information technology department that focuses on current and emerging cybersecurity matters and leverages cybersecurity consultants and third-party cybersecurity firms. Our cybersecurity function is led by our Chief Financial Officer, who reports to our Chief Executive Officer. Our Chief Financial Officer and cybersecurity organization are actively involved in assessing and managing cybersecurity risks. They are responsible for implementing cybersecurity policies, programs, procedures, and strategies.
73
Our Audit Committee of the Board of Directors is responsible for oversight of our risk assessment, risk management, disaster recovery procedures and cybersecurity risks. Periodically during each year, the Audit Committee receives an overview from our Chief Financial Officer of our cybersecurity threat risk management and strategy processes, including potential impact on the Company, the efforts of management to manage the risks that are identified and our disaster recovery preparations. Members of the Board of Directors regularly engage in discussions with management on cybersecurity-related news events and discuss any updates to our cybersecurity risk management and strategy programs.
As of the date of this filing, we do not believe that our business strategy, results of operations or financial conditions have been materially affected by any cybersecurity incidents for the reporting period covered by this report. However, companies like us, as well as our employees, service providers and other third parties, have experienced information security and cybersecurity attacks in the past and will likely continue to be the target of cyber actors.
We describe whether and how risks from identified cybersecurity threats have or that are reasonably likely to affect our financial position, results of operations and cash flows, under the heading “Risks Related to Our Business” included as part of our “Item 1A. Risk Factors” of this Annual Report on Form 10-K, which disclosures are incorporated by reference herein.