VirTra, Inc - (VTSI)
10-K Filing Date: April 01, 2024
We are committed to our goal to protect sensitive business-related and personal information, as well as our information systems. Although the size and scope of our operations is limited compared to larger global operations, we are subject to numerous and evolving cybersecurity risks that could adversely and materially affect our business, financial condition and results of operations. In that regard, we have increased our investment in information systems by hiring a Director of Technology in 2024 to replace limited outsourced services previously utilized. We are currently working towards CMMC certification and expect to be ready for a third-party assessment sometime during the 2025 fiscal year.
Our Management Leadership Team, with oversight from the Board of Directors, plans to implement a comprehensive cybersecurity program, including incident response process, aligned with the National Institute of Standards and Technology (NIST) Cybersecurity Framework and NIST Computer Security Incident Handling Guide (NIST SP 800-61) to assess, identify, address and manage risks from cybersecurity threats that may result in material adverse effects on the confidentiality, integrity and availability of our business and information systems.
Our Director of Technology reports to our Chief Financial Officer and has operational responsibility for our information security programs, protections, and efforts, along with leading efforts for implementing, monitoring, and maintaining cybersecurity and data security strategy, policy, standards, architecture, and practices across our business. We anticipate that our Director of Technology will update the Chief Financial Officer and Chief Executive Officer on these matters and work closely with these Senior Executives to oversee compliance with legal, regulatory, and contractual security requirements with the guidance of outside counsel.
We anticipate that our Board, in coordination with the Audit Committee, will oversee the Company’s enterprise risks arising from cybersecurity threats and will periodically review the measures we have implemented to identify and mitigate data protection and cybersecurity risks. We do not currently have a Cybersecurity Incident Response Plan (“CSIRP”) to provide the organizational and operational structure, processes, and procedures for investigating, containing, documenting and mitigating cybersecurity incidents. We expect to implement a risk-based approach to identifying, preventing and mitigating cybersecurity threats and incidents, while also implementing controls and procedures that provide for the prompt escalation of certain cybersecurity incidents so that decisions regarding the public disclosure and reporting of such incidents can be made by management in a timely manner.
18 |
We also rely on information technology and third-party vendors to support our operations, including our secure processing of personal, confidential, sensitive, proprietary and other types of information. Despite ongoing efforts to continuously improve our and our vendors’ ability to protect against cyber incidents, we may not be able to protect all information systems, and such incidents may lead to reputational harm, revenue and customer loss, legal actions, statutory penalties, among other consequences. While we have not experienced any material cybersecurity threats or incidents in recent years, there can be no guarantee that we will not be the subject of future threats or incidents.