T Stamp Inc - (IDAI)

10-K Filing Date: April 01, 2024
Item 1C. Cybersecurity
Risk Management and Strategy
24

We review cybersecurity risk as part of our overall enterprise risk management program. This ensures that cybersecurity risk management remains a top priority in our business strategy and operations.
Our risk management strategy includes, among other elements:
Identification: We aim to proactively identify sources of risk, areas of impact, and relevant events that could give rise to cybersecurity risks, such as changes to our infrastructure, service providers, or personnel.
Assessment: We conduct periodic risk assessments to identify cybersecurity threats. We also conduct likelihood and impact assessments with the goal of identifying reasonably foreseeable internal and external risks, the likelihood and potential damage that could result from such risks, and the sufficiency of existing policies, procedures, systems, and safeguards in place to manage such risks.
Management: Following our risk assessments, we design and implement reasonable safeguards to address any identified gaps in our existing processes and procedures.
We engage third parties, including consultants and auditors, to evaluate the effectiveness of our risk management program, control environment, and cybersecurity practices through security audits, penetration testing, and other engagements.
The Company's cybersecurity policies and procedures are fully integrated into its broader risk management framework, reflecting a holistic approach to cybersecurity risk management. Regular cybersecurity risk assessments are conducted to identify potential threats and vulnerabilities, with detailed mitigation strategies developed and implemented accordingly.
Trust Stamp has adopted an Information Security Incident Response Plan that establishes policy and protocol to follow in response to an information security incident or event impacting Trust Stamp. This policy applies to all Trust Stamp employees holding management responsibilities. Incidents are reported by users via various methods including verbally, email, or other methods. The Development Operations team via the Chief Technology Officer or Executive Vice President is the main point of contact for technical support issues. It is to be expected that potential security incidents will be raised through this channel.
The Company engages third-party cybersecurity assessments to ensure an objective evaluation of its cybersecurity stance, including the effectiveness of its risk management strategies. Oversight of cybersecurity risks posed by third-party service providers is systematically managed, ensuring that all external risks are identified and mitigated.
The Company did not have any material cybersecurity breaches during the year ended December 31, 2023.
Board of Director Governance
The Board of Directors (the "Board") includes members with substantial cybersecurity expertise, ensuring informed oversight of cybersecurity risks. Documentation of the Board's involvement in cybersecurity oversight is maintained, highlighting the frequency and topics of discussions related to cybersecurity risks and incident response. The Board is regularly updated on cybersecurity risks and incidents through established reporting mechanisms, ensuring they are well-informed to make strategic decisions regarding the Company's cybersecurity posture.
Management's Governance
Management's roles and responsibilities in cybersecurity oversight are clearly defined, with specific committees or positions designated for managing cybersecurity risks. The day-to-day management of cybersecurity is the responsibility of the Chief Technology Officer who oversees our technology team. These include procedures for incident response and regular reporting of cybersecurity information to the Board of Directors (the "Board"), ensuring effective communication and oversight. Cybersecurity risk management is seamlessly integrated into the Company's overall business strategy and decision-making processes, demonstrating a proactive approach to managing cybersecurity risks.

The Company has established clear criteria for determining the materiality of cybersecurity incidents, which include assessing potential or actual financial impacts, reputational damage, and operational disruptions. Documented incidents are meticulously recorded, detailing their nature, scope, and financial implications, ensuring transparency and accountability. The timeliness of Form 8-K filings following material cybersecurity incidents is strictly adhered to, with a thorough process in place for documenting any reasons for delayed disclosures. This ensures compliance with SEC requirements and maintains stakeholder confidence in the Company's cybersecurity posture.
25