AtriCure, Inc. - (ATRC)
10-K Filing Date: February 16, 2024
ITEM 1C. CYBERSECURITY
Risk Management and Strategy
We are committed to preserving the trust and confidence of our stakeholders by taking appropriate technical and organizational measures for maintaining information security and data privacy. Our cybersecurity program allows us to assess, identify and manage information security and cybersecurity threats through robust risk assessment and prevention measures to facilitate communication, training, awareness and incident response procedures. We have established policies and procedures to ensure timely and appropriate notifications to relevant parties and regulators as required for cybersecurity threats and data breaches.
We have continued to expand investments in information security, including additional end-user training, using layered defenses, identifying and protecting critical assets, strengthening monitoring and alerting mechanisms, and engaging experts. Information security awareness trainings are a compliance requirement for employees. We regularly test defenses by performing simulations and drills at both a technical level (including through penetration tests) and by reviewing our operational policies and procedures with third-party experts.
Our data breach response plan designates an incident response team comprised of senior leaders within information technology, finance, legal and compliance functions to ensure timely diagnosis and mitigation of cyber events. The incident response team is responsible for determining whether a cybersecurity incident is material and requires current reporting pursuant to SEC Form 8-K Item 1.05 (Material Cybersecurity Incidents). In conducting the assessment, the team considers factors including, but not limited to: the probability of an adverse outcome; the potential significance of loss; the nature and extent of harm to individuals, customers, and vendors; the nature and extent of harm to our competitive position or reputation; and the possibility of litigation or regulatory investigations.
To ensure our cybersecurity programs adhere to industry best practices, we have adopted the National Institute of Standards and Technology (NIST) Cybersecurity Framework and subscribed to the principles of Zero Trust. Both models represent recognized best practices for security and the capabilities needed to identify, protect, detect and respond to cybersecurity risks and challenges. We evaluate our physical, electronic and administrative safeguards on a continuous basis to ensure they are effectively deployed across the business.
We also work with trusted and recognized third parties to help us assess, strengthen and monitor the operations of our information security program. We engage third-party services to conduct evaluations of our security controls, whether through penetration testing, independent audits or consulting on best practices to address new challenges. These evaluations include testing both the design and operational effectiveness of security controls. We also share and receive threat intelligence with information sharing and analysis centers and cybersecurity associations.
Assessing, identifying and managing cybersecurity related risks are integrated into our overall enterprise risk management (ERM) process, which, evaluates and assesses top risks to the enterprise on a periodic basis. To the extent the ERM process identifies a heightened cybersecurity related risk, risk owners are assigned to develop risk mitigation plans, which are then tracked to completion. The ERM process's risk assessment is presented to the Board of Directors. In
32
addition to assessing our own cybersecurity preparedness, we also consider cybersecurity risks associated with the use of third-party software and service providers. Such providers are subject to security risk assessments at time of onboarding, contract renewal and upon detection of an increase in risk profile. On an annual basis we review System and Organization Controls (SOC) 1 or SOC 2 reports for third-party service providers deemed significant to our environment.
Despite the Company’s security measures and programs, our information technology and infrastructure are vulnerable to cybersecurity incidents, intrusions and attacks, any of which could have a materially adverse effect on our business, financial results, revenues and competitive position. See “Part I—Item 1A. Risk Factors” for further discussion of these risks.
Governance
Our Board of Directors is responsible for the oversight of cybersecurity risks and threats. The Board has delegated certain information security and data privacy oversight to the Audit Committee and the Compliance, Quality and Risk Committee (CQRC) of the Board. The CQRC oversees compliance with information security and data privacy laws, while the Audit Committee has oversight responsibility for cybersecurity risks related to accounting, audit and financial matters. The CQRC, Audit Committee and management report to the Board on a periodic basis regarding our information security and data privacy functions, including any cybersecurity threats.
The CQRC is responsible for oversight of our cybersecurity policy, procedures and risk mitigation. Our information technology (IT) leadership briefs the CQRC on a periodic basis on information security matters, including the current cybersecurity landscape, progress on information security initiatives and accomplishments, and reports on material cybersecurity incidents, as needed. Our enterprise risk management team reports address the Company’s cybersecurity risk management processes. Our Chief Legal Officer oversees the management of our ERM program and has over a decade of experience in risk management. The Chair of the CQRC is an expert in enterprise risk assessment and mitigation and holds a CERT Certificate in Cybersecurity Oversight.
The Audit Committee is responsible for reviewing our disclosures on cybersecurity risk management, strategy and governance in our Annual Report on Form 10-K. The Audit Committee assists in determining materiality for timely reporting of cybersecurity incidents and is notified immediately if the incident response team has assessed that a material event may have occurred that may require filing an SEC Current Report on Form 8-K.
The Vice President of Information Technology, assisted by our broader IT team, is responsible for setting the strategic direction and priorities for information security, coordination of enterprise-wide compliance with information security policies and procedures, as well as day-to-day information security management. Our Vice President of IT has served in various roles in information technology and information security for over 20 years. Our information security team has an aggregate of more than 60 years of experience in information technology roles across several industries.