BioSig Technologies, Inc. - (BSGM)

10-K Filing Date: April 16, 2024
ITEM 1C – CYBERSECURITY

 

To respond to the threat of security breaches and cyberattacks, we have developed a cybersecurity risk management program designed to identify, assess, manage, mitigate, and respond to cybersecurity threats to all information and systems owned by us. We maintain certain risk management processes intended to identify cybersecurity threats, determine their likelihood of occurring, and assess potential material impacts to our business. Based on our assessment, we implement and maintain risk management processes designed to protect the confidentiality, integrity, and availability of our information systems and the information residing therein.

 

Cybersecurity is reviewed as part of our overall enterprise risk management program, led by our Chief Administrative Officer, which assesses our significant enterprise risks, provides a summary of those risks and primary mitigations, identifies control improvement projects for our significant risks, and regularly reports on the progress of control improvement projects for those risks to our Board of Directors. Cybersecurity risks are reviewed by the Board of Directors, at least annually, as part of the Company’s corporate risk mapping exercise.

 

51

 

 

The Company’s processes are designed to identify such threats by, among other things, monitoring the threat environment using manual and automated tools, subscribing to services that identify cybersecurity threats, analyzing reports of threats, conducting scans of the threat environment, evaluating threats reported to us and conducting vulnerability assessments to identify vulnerabilities.

 

We rely on a multidisciplinary team (including from management and third-party service providers) to assess how identified cybersecurity threats could impact our business. These assessments may leverage, among other processes, industry tools and metrics designed to assist in the assessment of risks from such cybersecurity threats. Management also conducts periodic and on-demand assessments of our cybersecurity risks.

 

Our Chief Administrative Officer is responsible for developing and implementing the cybersecurity risk management program and reporting on cybersecurity matters to the Board. Additionally, members of the third-party service providers have cybersecurity experience and/or certifications. We view cybersecurity as a shared responsibility across our management team and periodically perform simulations and incorporate external resources and advisors as needed. All employees are required to complete cybersecurity training at least annually and have access to more frequent cybersecurity training through online events.

 

The Chief Administrative Officer is responsible for continuously monitoring and assessing the Company’s cybersecurity risk management program, informing senior management regarding the prevention, detection and mitigation and remediation of cybersecurity incidents and supervising such efforts.

 

To operate our business, we utilize certain third-party service providers to perform a variety of functions, such as outsourced business critical functions, clinical research, professional services, SaaS platforms, cloud-based infrastructure, encryption and other functions. We have certain vendor management processes designed to help to manage cybersecurity risks associated with our use of these providers. Depending on the nature of the services provided, and the sensitivity and quantity of information processed, our vendor management process may include reviewing the cybersecurity practices of such provider, contractually imposing obligations on the provider related to the services they provide and/or the information they process, conducting security assessments, conducting on-site inspections, requiring their completion of written questionnaires regarding their services and data handling practices, and conducting periodic re-assessments during their engagement.

 

We have not experienced any material cybersecurity incidents in the past, and we believe no cybersecurity events have occurred that have materially affected the Company or its business strategy, results of operations or financial condition. We continue to invest in the cybersecurity of our infrastructure and the enhancement of our internal controls and processes, which are designed to help protect our systems and data, and the information they contain. We carry insurance in amounts that we believe are reasonable for our business that provides protection against potential losses arising from a cybersecurity incident. However, there is no assurance that our insurance coverage will cover or be sufficient to cover all losses or claims that may arise from a cybersecurity incident.