AVITA Medical, Inc. - (RCEL)

10-K Filing Date: February 22, 2024
Item 1C. CYBERSECURITY

 

Risk Management and Strategy

 

AVITA Medical has implemented an Information Security Management System (ISMS). The Company’s ISMS is a continuous process designed to analyze the potential risks, vulnerabilities, the likeliness of occurrence and the related consequences of cybersecurity threats. The process is based on establishing the context, assessing the risks, and treating the risks. The key concept of the ISMS is to consistently maintain and improve confidentiality, integrity, and availability of information assets that should be protected by the organization on behalf of itself and its clients, and third parties. Once a risk, threat or vulnerability is identified, the Company establishes a risk treatment plan to take corrective action to prevent risks that can be avoided and minimize the ones that cannot. We engage an independent third-party cybersecurity services and consulting firm to continuously review our information security. We also conduct internal phishing campaigns and perform an independent penetration test on an annual basis. In addition, we conduct regular security awareness training and testing of our employees. The Company has not had any material cybersecurity incidents.

 

All related activities ISMC activities have been structured into a framework consisting of:

 

1.
Context establishment - Established in accordance with the requirements of International Organization for Standardization 27001 and 27002 (“ISO 27001” and “ISO 27002”). The ISO 27001, Information security management systems, provides a framework and guidelines for establishing, implementing and managing an ISMS and ISO 27002, Information security controls, provides a reference set of generic information security controls including implementation guidance.
2.
Risk Assessment - Relates to an evaluation and identification of risks, threats and vulnerabilities that exist or could exist, identifies the likelihood of occurrence and potential consequences. As part of the risk assessment management prioritizes the assessed risks from low to high based on likelihood and level of impact.
3.
Risk Treatment – will detail the remediation process for risks, vulnerabilities and threats identified to reduce the risk to an acceptable level.
4.
Risk Acceptance- The Company’s risk assessment is evaluated from a Low (1) to a High (3) on the Impact the threat would have on the Company and its operations and the likelihood of occurrence. Threat ratings created from the Impact and probability calculations will result with a value from 1- 9.
a.
Low (1 – 2.99) = Risk level acceptable and no further action deemed necessary
b.
Medium (2 – 5.99) and High (6 - 9) – implement risk management to reduce the risk to an acceptable level
5.
Risk Communications- Results of the risk assessment are communicated to appropriate level of management. Report includes the identified risk and vulnerability summaries. Updates will include treatment plans and status updates.
6.
Risk Monitoring and Review -Continuously performed to evaluate any changes or the need for changes. The Company uses the Ontrack software solution (“Ontrack”) to monitor and track all aspects of risk assessment. Ontrack also serves as tool to track any cybersecurity incidents and remediation tasks.

 

Disclosure of Management’s Responsibility

 

The Company’s Chief Financial Officer is primarily responsible for overseeing the Cybersecurity Risk Management Program and leading the Company’s efforts to mitigate technology risks in partnership with various business leaders in the organization. For qualifications of the CFO refer to Item 10 of the form 10-K. We have protocols, policies and tools in place to mitigate cybersecurity risk. They also provide the administrative, technical, and physical safeguards to ensure the security, confidentiality, integrity and availability of confidential information and personal information from unauthorized access, use, disclosure, alteration, destruction or theft. In addition, we engage an independent third party annually to assess our IT general controls and IT security. Special focus is given to maintaining and improving our alignment with ISO 27001. Additionally, we have a cybersecurity incident response plan in place that provides a documented framework for handling high and low severity security incidents and facilitates coordination across

27

 

multiple parts of the business. We have engaged an external consultant to provide oversight and technical expertise to our ISMS process. Finally, cybersecurity is integrated into the Company’s training as all employees are required to take security awareness training.

 

Disclosure of the Board’s Responsibility

 

While management is primarily responsible for assessing and managing cybersecurity risks on a day-to-day basis, the Company’s Board of Directors oversees management’s efforts to assess and manage risk. The Board (in conjunction particularly with the Audit Committee) monitors the cybersecurity risk assessment and response process. The Audit Committee is briefed by our Chief Financial Officer on our cybersecurity ISMS program and the overall cybersecurity risk environment. The briefing may include discussions on topics such as: information security and technology risks, cybersecurity risk assessment process and updates, information risk management strategies, and progress on cybersecurity and data protection training initiatives for employees, among others.

 

Back SEC Filing