AMERICAN SHARED HOSPITAL SERVICES - (AMS)

10-K Filing Date: April 01, 2024
ITEM 1C. CYBERSECURITY

 

The Company recognizes the importance of securing its information, devices, and data and the IT systems it relies on to conduct its business. The Company has established its Network, Information, and Data Security Policy Guidelines (the “NIDSP Guidelines”) designed to protect the integrity and confidentiality of data and information belonging to or being exchanged by the Company and its employees, partners, customers, service providers, and suppliers and to safeguard that information and the Company’s IT infrastructure from unauthorized access, use, disclosure, alteration, and destruction.

 

Risk Management and Strategy

 

The protections, procedures, and controls set forth in the NIDSP Guidelines demonstrate the Company’s attention to and prioritization of cybersecurity as a component of its overall strategy and system for managing risks. The NIDSP Guidelines include five policies described below, that together define the Company’s strategy and practices for managing cybersecurity threats and mitigating cybersecurity risks.

 

 

Physical Security Policy (the PSP). The PSP establishes guidelines related to selecting IT operation sites, designating security zones, using, inspecting, and storing IT Assets, designing restricted-access and security controls, and monitoring compliance with safety and security standards. The goal of the PSP is to minimize risks of damage, destruction, unauthorized access, inadvertent disclosure, misuse, loss, or theft of the Company’s IT Assets. In accordance with the PSP, the Company: (i) evaluates IT operation sites based on their susceptibility to natural disasters, crime and theft, and unauthorized access; (ii) requires the use of keycards or biometrics in order to enforce security zones and give users the least amount of access required to do their jobs; (iii) requires systems and devices that store confidential data to be maintained and protected in accordance with the Company’s Confidential Data Policy; and (iv) requires visitors at the Company’s office to complete a sign-in log, wear a visitor badge, and be escorted by a designated employee at all times.

 

 

Network Security Policy (the NSP). The NSP aims to protect the integrity of the Company’s data by securing the systems and devices that make up the Company’s network infrastructure. Pursuant to the NSP, the Company: (i) enforces strict password-construction criteria for network devices; (ii) requires employees to verify their identities using multi-factor authentication to access internal resources; (iii) maintains and reviews logs from application services, network devices, and critical devices and requires the retention of logs in accordance with the Company’s Retention Policy; (iv) implements and configures firewall technology to filter both inbound and outbound network connections; (v) authorizes the IT Manager to determine the extent and scope of external security testing to be performed; (vi) establishes a software-use policy; and (vii) requires antivirus and anti-malware software to be used and timely patched and updated on any Company-provided devices.

 

 

Backup Policy. The Company’s Backup Policy applies to all data stored on Company systems. The Backup Policy specifies the types of data and information considered to be critical to the Company’s operations and thus required to be backed up, establishes a backup schedule that is necessary for successful data recovery, and implements procedures for the off-site rotation, storage, and retention of backups. The Backup Policy also establishes the Company’s data-restoration procedures and mandates the periodic testing of those procedures.

 

 

Remote Access Policy (the RAP). The RAP defines the Company’s standards for accessing IT resources from outside the Company’s network, such as when an employee is working remotely. Pursuant to the RAP, remote access is only permitted if accomplished through secure, Company-provided means. The Company’s uses remote-access software designed to guard against unauthorized access using traffic encryption during transmission and firewall protections.

 

 

Confidential Data Policy (the CDP). The CDP governs the handling, storage, transmission, destruction, and protection of confidential data. Pursuant to the CDP, confidential data must be securely stored, removed from common areas, properly marked as confidential data, protected with strong encryption if being transmitted, and destroyed by means that make recovery impossible. Employees who are given access to confidential data are required to immediately notify their supervisor if they suspect any misuse or unauthorized disclosure of confidential information.

 

The Company’s NIDSP Guidelines and policies apply not only to the Company’s employees and consultants but also to any third parties that access or utilize the Company’s information and systems. Such third parties may include the Company’s service providers, customers, suppliers, contractors, consultants, and any other individuals the Company conducts business with. The IT infrastructure that the Company has developed in accordance with the NIDSP Guidelines is designed to monitor both internal and external cybersecurity risks. The NIDSP Guidelines equip the Company with the tools and systems necessary to recognize, address, and protect against risks associated with its third-party interactions.

 

16

 

Cybersecurity Governance

 

The Company’s IT Manager and executive team is responsible for the day-to-day management of cybersecurity risks, while the Company’s Board of Directors has responsibility for oversight of risk management.

 

As part of the Company’s framework for cybersecurity risk oversight and governance, the Company’s network, information, and data-security policies set forth in the NIDSP Guidelines are enforced by the Company’s IT Manager and/or its executive team. The IT Manager is an employee designated by the Company to manage the Company’s security policies and program. The IT Manager is tasked with ensuring that the Company maintains compliance with the Company’s security policies and any applicable security regulations. The IT Manager is responsible for: (i) implementing the Company’s security policies; (ii) disseminating the Company’s security policies to all employees; (iii) establishing a training program for all employees and users covered by the Company’s IT security policy to notify them of the Company’s security policies, train and re-train them to comply with the Company’s IT security program, and educate them on the importance of data security; (iv) performing any ongoing testing or analysis of the Company’s security infrastructure, policies, and procedures; and (v) updating the NSP and any other policies and guidelines as needed to comply with applicable regulations and to stay up to date with the changing IT security landscape.

 

The IT Manager works closely with the Company’s management and executive team to determine the Company’s IT-related needs, to evaluate the sufficiency of the Company’s data-governance policies and practices, to keep the Company’s management informed of notable cybersecurity-related updates, to review its security-related policies, and to identify ways to strengthen the systems and procedures implemented by the Company to detect, assess, and manage data risks.

 

In the event of the detection of an actual or suspected cybersecurity incident, the Company's IT Team, lead by the IT Manager, assesses the incident as “minimal”, “low", “moderate” or “high”. Incidents assessed at a minimal or low risk are reported to Company’s management and the Executive Chairman of the Board and the Executive Chairman of the Board may share this information with the Board. Incidents assessed at a moderate or high risk are reported to Company’s management, the Executive Chairman of the Board, and the Company’s Board of Directors.

 

Notwithstanding the Company’s cybersecurity-related policies, procedures, and governance framework, the ever-present threat of a cyber-attack, data breach, or other security incident is pervasive. The increasingly sophisticated nature of the tactics used to circumvent IT security safeguards makes cybersecurity threats increasingly difficult to detect and respond to. While the Company does not believe its business strategy, results of operations, or financial condition have been materially adversely affected by any cybersecurity threats or incidents, there is no assurance that the Company will not be materially affected by such threats or incidents in the future. Accordingly, the Company will continue to monitor cybersecurity risks and strive to invest in and strengthen its cybersecurity infrastructure.