Venus Concept Inc. - (VERO)
10-K Filing Date: April 01, 2024
Cybersecurity.
We recognize the critical importance of maintaining the safety and security of our systems and data and have a holistic process for overseeing and managing cybersecurity and related risks. This process is supported by both management and our Board. As such, we are committed to maintaining robust governance and oversight of these risks and to implementing mechanisms, controls, technologies, and processes designed to help us assess, identify, and manage these risks. While we have not, as of the date of this Annual Report, experienced a “cybersecurity threat” (as defined in Item 106(a) of Regulation S-K) or “cybersecurity incident” (as defined in Item 106(a) of Regulation S-K) that has materially affected or was reasonably likely to materially affect the Company, including our business strategy, results of operations, or financial condition, there can be no guarantee that we will not experience such a cybersecurity threat or cybersecurity incident in the future. Such threats or incidents, whether or not successful, could result in us incurring significant costs related to rebuilding our internal systems, writing down inventory value, implementing additional threat protection measures, providing modifications or replacements to our products and services, defending against litigation, responding to regulatory inquiries or actions, paying damages, providing customers with incentives to maintain a business relationship with us, or taking other remedial steps with respect to third parties, as well as potentially incurring significant reputational harm. In addition, these cybersecurity threats are constantly evolving, thereby increasing the difficulty of successfully defending against them or implementing adequate preventative measures. Our cybersecurity program is designed to detect and investigate cybersecurity threats against our network, products, and services, and to prevent their occurrence and recurrence through changes or updates to our internal processes and tools and changes or updates to our products and services; however, we remain potentially vulnerable to known or unknown cybersecurity threats. In some instances, we, our suppliers and our customers can be unaware of a cybersecurity threat or cybersecurity incident or its magnitude and effects. Further, there is increasing regulation regarding responses to cybersecurity incidents, including reporting to regulators, which could subject us to additional liability and reputational harm.
We aim to incorporate industry best practices throughout our cybersecurity program. Our cybersecurity program focuses on implementing effective and efficient controls, technologies, and other processes to assess, identify, and manage material cybersecurity risks. Our cybersecurity program is designed to be aligned with applicable industry standards and is assessed periodically by independent third-party auditors. We have processes in place to assess, identify, manage, and address material cybersecurity threats and cybersecurity incidents. These include, among other things: ongoing security awareness training for our employees; mechanisms to detect and monitor unusual network activity; and containment and incident response tools. We actively engage with industry groups for benchmarking and awareness of best practices. We monitor potential cybersecurity threats that are internally discovered or externally reported to us that may affect our business and have processes to assess those issues for potential cybersecurity impact or risk. We also have a process in place to manage cybersecurity risks associated with third-party service providers. All transactions with third parties are conducted through secure gateways with access being controlled solely by the Company.
We describe how risks from identified cybersecurity threats, including as a result of any previous cybersecurity incidents, have materially affected or are reasonably likely to materially affect us, including our business strategy, results of operations, or financial condition, in Item 1A. Risk Factors – Security breaches and other disruptions could compromise our information and expose us to liability of this Annual Report.
Cybersecurity Governance
Management's Role
Our Director, Information Technology (the “DIT”) and General Counsel have primary responsibility for assessing and managing material cybersecurity risks and are members of management’s IT Steering Committee, which is comprised of a cross-functional team that consists, in part, of the executive team and certain members of the senior leadership team (the “Steering Committee”), which is a committee that drives alignment on information technology security decisions across the Company. The Steering Committee meets quarterly, or more frequently as determined to be necessary or advisable, to review security performance metrics, identify security risks, and assess the status of approved security enhancements. The Steering Committee also considers and makes recommendations on security policies and procedures, security service requirements, and risk mitigation strategies. The Steering Committee also receives prompt and timely information regarding any cybersecurity incident that meets established reporting thresholds, as well as ongoing updates regarding any such incident until it has been addressed from members of the Information Technology team. Once the Steering Committee has considered this information and recommended a course of action, senior executives provide the Board with updates concerning cybersecurity risks and the Company's cybersecurity strategies and objectives.
Our DIT has served in various roles in information technology and information security for over 20 years, delivering and managing complex information technology systems including the cybersecurity function for governments, industry leaders and public companies. Our DIT holds an undergraduate degree from Tel Aviv University and a postgraduate degree from the London School of Economics. Our General Counsel has over 13 years of experience managing risks, including risks arising from cybersecurity threats, at other publicly traded companies.
Board Oversight
Cybersecurity is an important part of our risk management processes and an area of focus for our Board and management. Our Board has ultimate oversight of cybersecurity risk, which it manages as part of our enterprise risk management program. That program is utilized in making decisions with respect to company priorities, resource allocations, and oversight structures. The Board is assisted by the Audit Committee, which is responsible for the oversight of risks from cybersecurity threats and regularly reviews our Company’s risk matrices, including cybersecurity, with management and reports to the Board. Cybersecurity reviews by the Audit Committee or the Board generally occur at least annually, or more frequently as determined to be necessary or advisable. Our Board members also engage in ad hoc conversations with management on cybersecurity-related news events and discuss any updates to our cybersecurity risk management and strategy programs. As noted above, if a significant cybersecurity incident occurs, the Steering Committee will report same promptly to the Board on an ad hoc and as-needed basis. Otherwise, management reports cybersecurity risks and developments to the Board quarterly.