T2 Biosystems, Inc. - (TTOO)

10-K Filing Date: April 01, 2024
Item 1C.CYBERSECURITY

Risk management and strategy

We rely on our information technology to operate our business and understand the importance of preventing, assessing, identifying, and managing material risks associated with cybersecurity threats. Cybersecurity processes to assess, identify and manage risks from cybersecurity threats have been incorporated as a part of our overall risk assessment process and have been embedded in our operating procedures, internal controls and information systems. On a regular basis, we implement into our operations these cybersecurity processes, technologies, and controls to assess, identify and manage material risks.

As part of our broader risk management framework, we have identified potential cybersecurity risks to our business. We have designed our business applications and hosting services to minimize the impact that cybersecurity incidents could have on our business and have identified back-up systems where appropriate. We seek to further mitigate cybersecurity risks through a combination of monitoring and detection activities, use of anti-malware applications, employee training, quality audits and communication and reporting structures, among other processes. We have an incident response plan in place that outlines containment, eradication and recovery plans in the event of a cybersecurity threat or incident.

We engage a third-party consultant to assist us with designing controls and our cybersecurity risk management framework, and we are engaging with a third party to perform penetration testing. We also retain third parties to assist with the monitoring and detection of cybersecurity threats and responding to any cybersecurity threats or incidents.

With respect to third parties that manage or use our information technology or data, we obtain reports to assess the security of their systems and processes. We engage in ongoing monitoring of all critical third-party providers to help ensure compliance with our cybersecurity standards.

We have not encountered cybersecurity threats or incidents that have had a material impact on our business.

Governance

Our Board of Directors has assigned specific oversight responsibility for cybersecurity to our Audit Committee. The Audit Committee reviews and discusses with management our policies, practices and risks related to information security and cybersecurity.

Our General Counsel has primary responsibility for assessing, monitoring and managing cybersecurity risks.

Our General Counsel provides an update to the Audit Committee on any risks related to cybersecurity on a quarterly basis. Our incident response plan includes notifying the Audit Committee, and then the Board of Directors, of any material threats or incidents that arise.