Autonomix Medical, Inc. - (AMIX)

10-K Filing Date: May 31, 2024
Item 1C. Cybersecurity.

 

Risk Management and Strategy

 

There have been an increasing number of cyberattacks on companies around the world, which have caused operational failures, compromised sensitive corporate or customer data, and/or resulted in significant financial damages. These attacks have occurred over the internet, through malware, viruses or attachments to e-mails, or through inside actors with access to systems within the organization.

 

We have implemented security measures as part of an evolving cybersecurity posture and will continue to devote resources to address security vulnerabilities in an effort to prevent cyberattacks and mitigate the damage that could result from such an attack. Subsequent to March 31, 2024, all employees will begin receiving cybersecurity training and other education regarding their use of computers, information technology, and sensitive data, including specifically how to recognize common attack strategies. As the Company does not have a physical office location, it does not have a local network or in-house servers and proprietary applications. We therefore utilize third parties applications and resources to support our information technology (“IT”) needs. All applications utilized by the Company are Software as a Service (“SaaS”) offerings. As our applications are developed and managed by third parties, we are dependent on these providers for many functions including disaster recovery during a disaster or cyber incident. Our goal is to only utilize the most secure and trusted providers for our IT needs. To this end, we are currently reviewing the security credentials and certifications of our key application providers. Our business continuity plans are evaluated against evolving security and service level standards, which includes evaluating those cybersecurity threats associated with our use of key third party service providers.

 

35

 

Our cybersecurity management strategy will consist of utilizing a combination of employee education, preventative controls, detective controls and periodic third-party cybersecurity testing. During fiscal year 2024, we began to deploy and utilize enterprise scale technology to support an appropriate cybersecurity posture including: endpoint detection and response, firewalls, security information and event management, email security, multifactor authentication, and vulnerability management, with deployment of these tools to be completed prior to March 31, 2025. As part of the service offering from our outsourced IT security services provider, cybersecurity related alerts will be issued to us as relevant situations develop. These alerts will be evaluated in concert with our IT provider and in the event an alert requires action within our environment, such actions will be taken promptly. Our process and cybersecurity posture will continue to be refined based on the results of periodic cybersecurity assessments conducted jointly with our IT provider. Upon implementation of this strategy, we will report on cybersecurity in reports to the Audit Committee on a semi-annual basis.

 

To operate our business, we rely upon certain third-party service providers (the "Providers") to perform a variety of functions, such as outsourced business critical functions, clinical research, professional services, SaaS platforms, managed services, cloud-based infrastructure, content delivery, encryption and authentication technology, corporate productivity services, and other functions. We are in the process of developing vendor management processes designed to help to manage cybersecurity risks associated with our use of these Providers. Depending on the nature of the services provided, the sensitivity and quantity of information processed and the identity of the Provider, our vendor management process may include i) reviewing the cybersecurity practices of such Provider;ii) requiring their completion of written questionnaires regarding their services and data handling practices; and iii) obtaining a Security Operations Center ("SOC") report for the Provider's internal control structure. For our largest third-party provider, our Contract Research Organization (“CRO”) which is helping us manage our clinical trial(s), we will conduct a comprehensive security assessment and review, including their cybersecurity practices, protocols and protections and physical security.

 

Governance

 

The Audit Committee is responsible for oversight of cybersecurity risk. Our Chief Executive Officer and Chief Financial Officer are the members of management responsible for managing and assessing our cybersecurity practices. The plan for the future is that they will report to the Audit Committee on cybersecurity on a semi-annual basis. Should any cybersecurity threat or incident be detected, our senior management team would timely report such threat or incident to the Audit Committee and provide regular communications and updates throughout the incident and any subsequent investigation, in order that the impact, materiality, and reporting requirements of such incident are appropriately identified and assessed for further necessary or appropriate action to be taken.

 

We believe we are appropriately staffed (as supported by our outsourced IT provider) to support a healthy cybersecurity posture given our size and scope. Our Chief Financial Officer, who reports to the Chief Executive Officer, is directly responsible for IT functions.

 

To date, there have been no risks identified from cybersecurity threats or previous cybersecurity incidents that have materially affected or are reasonably likely to materially affect the company. However, despite all of the above aforementioned efforts, a cyberattack, if it occurred, could cause system operational problems, disrupt service to clinical trial sites, compromise important data or systems or result in an unintended release of confidential information. See “Item 1A. Risk Factors” for additional discussion of cybersecurity risks impacting our Company.