Xtant Medical Holdings, Inc. - (XTNT)

10-K Filing Date: April 01, 2024
Item 1C. Cybersecurity

 

Background

 

Cybersecurity, data privacy, and data protection are critical to our business. In the ordinary course of our business, we collect and store certain confidential information such as information about our employees, contractors, vendors, customers, suppliers, independent sales agents and distributors. We have processes in place for assessing, identifying, and managing material risks from cybersecurity threats, and we monitor the Company’s overall security score to assess performance and identify areas for improvement. In recent years, we have installed a new firewall to better protect from network intrusions, hired a Network and Security Administrator, and engaged a third-party service provider to perform an internal penetration test in order to identify and address vulnerabilities. Additionally, we introduced always-on VPN in an effort to better restrict off-campus network access in light of the increase in the number of our employees working remotely in recent years, enhanced our monitoring and control capabilities, and hardened our cloud computing cyber security footprint. Management continually re-assesses the Company’s cybersecurity risk environment based on changing circumstances and new information identified by its monitoring, scanning and testing as well as third party resources.

 

Risk Management and Strategy

 

Our processes for assessing, identifying, and managing cybersecurity threats have been integrated into the our overall risk management processes. The information provided by these processes facilitates management’s ongoing assessment of our cybersecurity risk environment and provides current and accurate information regarding cybersecurity risks to management, our Audit Committee and Board of Directors to allow appropriate management of such risks through remediation or other risk mitigation activities.

 

We maintain a cybersecurity program that is designed to identify, protect from, detect, respond to, and recover from cybersecurity threats and risks, and protect the confidentiality, integrity, and availability of its information systems, including the information residing on such systems. The National Institute of Standards and Technology Cybersecurity Framework helps us inform our cybersecurity agenda and prioritize our cybersecurity activities. We take a risk-based approach to cybersecurity, which begins with the identification and evaluation of cybersecurity risks or threats that could affect our operations, finances, legal or regulatory compliance, or reputation. The scope of our evaluation encompasses risks that may be associated with both our internally managed IT systems and key business functions and sensitive data operated or managed by third-party service providers. Once identified, cybersecurity risks and related mitigation efforts are prioritized based on their potential impact, likelihood, velocity, and vulnerability, considering both quantitative and qualitative factors. Risk mitigation strategies are developed and implemented based on the specific nature of each cybersecurity risk. These strategies include, among others, the application of cybersecurity policies and procedures, implementation of administrative, technical, and physical controls, and employee training, education, and awareness initiatives.

 

Role of Management

 

Management has implemented risk management structures, policies and procedures and is responsible for our day-to-day cybersecurity risk management. Our Director of Information Technology, Chris Dennis, is responsible for our day-to-day assessment and management of cybersecurity risks. Mr. Dennis has served as our Director of Information Technology since June 2019. Mr. Dennis additionally is the founder of a data privacy consulting company and has over 20 years of experience in the data management space. We have implemented a number of processes which allow Mr. Dennis and his team to be informed about and monitor the prevention, detection, mitigation, and remediation of cybersecurity incidents. These processes include, among other things, system alerts of potential malicious cyber activity, access to real-time dashboards that monitor and assess our systems, status reports provided on a daily, weekly and monthly basis, and regular ongoing communications with service providers regarding potential new attack vectors and vulnerabilities. Mr. Dennis and his team share such information with our management team and reports information about such risks to our Audit Committee.

 

Use of Consultants and Advisors

 

We engage various third-party cybersecurity service providers to assess and enhance our cybersecurity practices and assist with protection and monitoring of our systems and information, including with respect to protection of our e-mail, system access, network monitoring, endpoint protection, vulnerability assessments and penetration testing. We engage cybersecurity consultants, auditors, and other third parties to assess and enhance our cybersecurity practices, such as a third party consulting firm to perform tabletop exercises and evaluate our cyber processes including an assessment of our incident response procedures.

 

59

 

 

Board Oversight

 

The Board of Directors, both directly and through the delegation of responsibilities to the Audit committee oversees the proper functioning of our cybersecurity risk management program. In particular, the Audit Committee assists the Board of Directors in its oversight of management’s responsibility to assess, manage and mitigate risks associated with the Company’s business and operational activities, to administer the Company’s various compliance programs, in each case including cybersecurity concerns, and to oversee our information technology systems, processes and data. The Audit Committee, which is comprised entirely of independent directors, is responsible for periodically reviewing and assessing with management (i) the adequacy of controls and security for our information technology systems, processes and data, and (ii) our contingency plans in the event of a breakdown or security breach affecting our information technology systems, it being understood that it is not possible to eliminate all such risks and that the Company will necessarily face a variety of risks with respect to information technology in the conduct of its business. The Audit Committee is additionally responsible for reviewing the cybersecurity disclosures required to be included in our filings with the SEC.

 

The Audit Committee reviews a cybersecurity dashboard at its regularly held meetings, which includes certain information about overall security, employee training, and other statistics. Members of our management team often attend these discussions, and the Audit Committee has requested that Mr. Dennis provide updates at two of its meetings annually. The management team and/or Audit Committee, in turn, regularly provide data protection and cybersecurity reports to the full Board of Directors.

 

Although none of the members of the Audit Committee has any work experience, degree, or certifications related to information security or cybersecurity, the Audit Committee works closely with members of our employee team with relevant expertise, and we have engaged third-party service providers to further enhance our cybersecurity efforts.

 

Risks from Material Cybersecurity Threats

 

Although we have taken steps to prevent and mitigate data security threats, there can be no assurance that our protective measures and those of our third party service providers will prevent or detect security breaches that could have a significant impact on our business, reputation, operating results and financial condition. We maintain cyber liability insurance; however, this insurance may not be sufficient to cover the financial, legal, business or reputational losses that may result from an interruption or breach of our systems. As of the date of this filing, we have not identified any cybersecurity threats that have materially affected or are reasonably anticipated to have a material effect on our business strategy, results of operations or financial condition. Although we have not experienced cybersecurity incidents that are individually, or in the aggregate, material, we have experienced cyberattacks in the past, which we believe have thus far been mitigated by preventative, detective, and responsive measures we have put in place. See the factors described in the “Part I. Item 1.A. Risk Factors” section of this Form 10-K for further detail about the cybersecurity risks we face. Maintaining a robust information security system is an ongoing priority for us and we plan to continue to identify and evaluate new, emerging risks to data protection and cybersecurity both within our Company and through our engagement of third-party service providers.