Acutus Medical, Inc. - (AFIB)

10-K Filing Date: April 01, 2024
Item 1C. Cybersecurity.
Cybersecurity Risk Management
We recognize the need to maintain the security and confidentiality of personal information, protected health information and other confidential data that we may collect or use in connection with our business, and the importance of assessing, identifying and managing various cybersecurity risks that may impact our business. Our cybersecurity risk management program provides a framework for handling cybersecurity threats and incidents, including threats and incidents associated with the use of hardware, software and technical applications and platforms developed or provided by our third-party service providers, and facilitates coordination across different departments of our company.
As part of our enterprise risk management process, we assess the various cybersecurity risks that may impact our business and implement plans and initiatives that are intended to mitigate those risks.
Our cybersecurity program includes: (i) risk assessments designed to help identify material cybersecurity risks to our critical systems, information, products, software, and services; (ii) a cybersecurity team principally responsible for managing our (1) information security risk assessment processes, (2) security controls, and (3) response to cybersecurity incidents; (iii) risk assessments and security tests, conducted internally; (iv) new-hire and annual cybersecurity awareness training of our employees; (v) a cybersecurity incident response plan that includes procedures for responding to cybersecurity incidents; and (vi) third-party risk assessment procedures to review material third-party vendors and applications for information security. Our cybersecurity team is responsible for assessing our cybersecurity risk management program and we also engage a third party for such assessment.
Governance
Our board of directors has overall oversight responsibility for our risk management, and delegates cybersecurity risk management oversight to the Audit Committee of the board of directors (the “Audit Committee”). The Audit Committee is responsible for ensuring that management has processes in place designed to identify and evaluate cybersecurity risks to which the company is exposed and implement processes and programs to manage cybersecurity risks and mitigate cybersecurity incidents. Management is responsible for identifying, considering and assessing material cybersecurity risks on an ongoing basis, establishing processes to ensure that such potential cybersecurity risk exposures are monitored, putting in place appropriate mitigation measures and maintaining cybersecurity programs. Our cybersecurity programs are under the direction of our Director of IT who receives reports from our cybersecurity team and monitors the prevention, detection, mitigation, and remediation of cybersecurity incidents. Our dedicated personnel are knowledgeable about our products and systems and experienced information systems security professionals and information security managers with many years of experience. Management regularly updates the Audit Committee on the company’s cybersecurity programs, material cybersecurity risks and mitigation strategies and provide cybersecurity reports quarterly that cover, among other topics, the company’s cybersecurity programs, developments in cybersecurity and updates to the company’s cybersecurity programs and mitigation strategies.
In 2023, we did not identify any cybersecurity threats that have materially affected or are reasonably likely to materially affect our business strategy, results of operations, or financial condition. However, despite our efforts, we cannot eliminate all risks from cybersecurity threats, or provide assurances that we have not experienced an undetected cybersecurity incident. For more information about these risks, please see “Risk Factors—Risks Related
37

to Our Business and the Products—Security breaches, loss of data and other disruptions could compromise sensitive information related to our business or prevent us from accessing critical information and expose us to liability, which could adversely affect our business and our reputation” in this annual report on Form 10-K.