Outset Medical, Inc. - (OM)
10-K Filing Date: February 21, 2024
At Outset, we strive to protect the confidentiality, integrity and availability of the personal data entrusted to us. We continue to invest in our cybersecurity program in an effort to enhance our ability to prevent, detect, contain, and mitigate cybersecurity threats.
Risk Oversight
Oversight of our information security program, including oversight of risks related to cybersecurity threats and the assessment and management of such risks, is accomplished through a governance structure which includes our Board, Audit Committee, and executive management.
BOARD AND COMMITTEE OVERSIGHT | |
BOARD: One of the key functions of our Board is informed oversight of our risk management process. Our Board focuses on the overall risks affecting us and delegates responsibility for oversight of certain specific risks to its standing committees. For significant risks related to cybersecurity, the Board has delegated oversight responsibility to the Audit Committee. | Our full Board and Audit Committee are kept informed about significant risks related to cybersecurity, including enterprise-level risks from cybersecurity threats. The Board receives written updates, generally on a quarterly basis, regarding the status of our information security program. In addition, the Audit Committee receives in-person updates on our information |
60
| security programs on at least an annual basis. These updates generally cover topics such as our cybersecurity strategy, the threat landscape, key cybersecurity risk areas facing the organization, any key findings of audits and testing, the status of key initiatives, as well as a review of any major incidents. |
AUDIT COMMITTEE: Our Audit Committee is responsible for overseeing our major financial, legal, and regulatory risk exposures, which span a variety of areas, including cybersecurity. | |
MANAGEMENT Executive management plays a significant role in assessing and managing material risks from cybersecurity threats. Our Chief Technology Officer manages our information security program. | |
Executive leadership | Our Chief Technology Officer and the information security team periodically present information about the Company’s information security program, including program goals and actions, progress against key initiatives and key risks, to our executive leadership team. As described above, significant risks related to cybersecurity are escalated to the Audit Committee and/or the full Board as appropriate. |
Cross-functional management engagement | We have established a committee comprised of leaders from key functions across the Company including, but not limited to, information security, IT, engineering, legal, regulatory, medical affairs, finance, research and development, operations, supply chain, marketing and people operations. This committee generally meets quarterly and is responsible for promoting a culture of awareness and accountability related to, among other things, information security. The committee also provides cross-functional input to facilitate the development, articulation, implementation and operation of information security risk management programs. |
Governance of information security risks | We have also established a risk governance committee, which generally meets on a monthly basis. This committee, which is sponsored by the Chief Technology Officer, is comprised of Company associates from information security, information technology (IT), engineering, and other functions, who have experience in managing cybersecurity risks, who review the cybersecurity threat landscape, and who evaluate key emerging data security risks. The committee reviews certain cybersecurity-related risks facing the company; discusses open policy exceptions and key risk indicators; and manages cybersecurity risks presented by the information security team and proposed mitigation actions. Members of this committee review the key risks identified as an outcome of our cybersecurity risk management strategy described below. |
Risk Management and Strategy
Our cybersecurity risk management program is designed to identify, assess, and manage reasonably foreseeable material risks facing Outset from cybersecurity threats. We identify cybersecurity risks in various ways, including but not limited to the ongoing monitoring of our systems using various technologies and processes, monitoring of emerging threats, third-party penetration testing of our device and systems, vulnerability scanning and assessments, and cross-functional risk discussions. We have also received Systems and Organizations Controls 2 (SOC 2) certification for Tablo cloud. We have developed processes to help us track, prioritize, and manage identified cybersecurity risks. For example, risks are defined, categorized, and assigned a risk rating based on potential impact and likelihood, which informs acceptance, mitigation or remediation actions which should be undertaken. The Risk Governance Committee reviews key identified risks and discusses related mitigation actions in response to such risks.
We have operationalized key processes to help us identify, assess, manage, and mitigate reasonably foreseeable risks from potential cybersecurity threats. For example:
61
Risks from Cybersecurity Threats
Our business relies on secure and continuous processing of information and the availability of our IT networks and IT resources, as well as critical IT vendors that support our technology and data processing operations. Security breaches, computer malware and computer hacking attacks have become more prevalent across industries and may occur on our systems or those of our third-party service providers. Attacks upon IT systems are increasing in their frequency, levels of persistence, sophistication, and intensity, and are being conducted by sophisticated and organized groups and individuals with a wide range of motives and expertise. We may face increased risks from cybersecurity threats due to our reliance on internet technology and the increased frequency of employees working remotely, which may create additional opportunities for cybercriminals to exploit vulnerabilities.
We regularly monitor, defend against, and respond to cyber and other security threats to our networks and other information security incidents. Despite our information security efforts, our facilities, systems, servers, platforms and data, as well as those of our third-party cloud and other service providers and Tablo’s two-way wireless communication system, may be vulnerable to privacy and information security incidents and may be breached due to the actions of outside parties, employee error or misconduct, malfeasance, or a combination of these and, as a result, an unauthorized party may obtain access to our data or the personal information maintained by us or on our behalf. These include data breaches, viruses or other malicious code, exploitation of known or unknown vulnerabilities, coordinated attacks, data loss, phishing attacks, ransomware, denial of service attacks, insider threats or other security or IT incidents caused by threat actors, technological vulnerabilities, or human error. Additionally, outside parties may attempt to fraudulently induce employees to disclose sensitive information to gain access to the data and personal information we maintain. As of the date of this Annual Report, we are not aware of any material adverse impact to our business or operations from cybersecurity threats or incidents. We do, however, recognize that the cybersecurity landscape evolves rapidly and that we are not immune to such incidents. If we, or any of our third-party service providers, fail to comply with laws requiring the protection of sensitive personal information, or fail to safeguard and defend personal information or other critical data assets or IT systems, or if our incident response,
62
containment or mitigation measures are inadequate in the face of a particular data security incident, we may face significant business interruptions, incur reputational damage, and be subject to regulatory enforcement and fines as well as private civil actions. We may be required to expend significant resources in the response, containment, mitigation of cybersecurity incidents as well as in defense against claims that our information security was unreasonable or otherwise violated applicable laws or contractual obligations. In addition, to the extent that our cloud and other service providers experience security breaches that result in the unauthorized or improper use of confidential information, employee information or personal information, we may not be indemnified for any losses resulting from such breaches. If we are unable to prevent or mitigate the impact of such security breaches or other cyber events that impact our operations, our ability to attract and retain new customers, patients, and other partners could be harmed, as they may be reluctant to entrust us with their data, and we could be exposed to litigation and governmental investigations, which could lead to a potential disruption to our business or other adverse consequences.
In addition, manufacturing operations at our Mexico-based facility may also suffer disruptions from cybersecurity attacks, which could negatively impact our ability to produce Tablo consoles and cartridges, restrict or delay our ability to deliver products to our customers and meet our customers’ demand on a timely basis, and result in customer dissatisfaction, all of which would adversely impact our results of operations. Moreover, we use Amazon Web Services to support Tablo’s cloud connectivity and any disruption of service as a result of cybersecurity attacks could interrupt or delay our ability to receive and deliver certain treatment and reporting information from and to providers and patients. The continuing and uninterrupted performance of Tablo is critical to our success and any repeated or prolonged system failures may damage our reputation, reduce the attractiveness of Tablo to providers and patients, and result in decreased demand for Tablo, thereby adversely affecting our business, financial condition and results of operations.
For more information on the risks we face from cybersecurity threats and the potential impacts on our company, see the section above entitled “Risk Factors” under Part I, Item 1A, including the risk factor entitled “We may face additional costs, loss of revenue, significant liabilities, harm to our brand, decreased use of our platform and business disruption if there are any security or data privacy breaches or other unauthorized or improper access.”