Danimer Scientific, Inc. - (DNMR)

10-K Filing Date: March 29, 2024
ITEM 1C. CYBERSECURITY

Risk Management and Strategy

We have an enterprise-wide information security program designed to identify, protect, detect, respond to and manage reasonably foreseeable cybersecurity risks and threats. To protect our information systems from cybersecurity threats, we use various security tools that help prevent, identify, escalate, investigate, resolve and recover from identified vulnerabilities and security incidents in a timely manner. These include, but are not limited to, internal reporting, monitoring and detection tools.

We regularly assess risks from cybersecurity and technology threats and monitor our information systems for potential vulnerabilities. We use a widely-adopted risk quantification model to identify, measure and prioritize cybersecurity and technology risks and develop related security controls and safeguards. We conduct regular reviews and tests of our information security program and leverage testing by our internal audit team, tabletop exercises, and vulnerability testing, simulations, and other exercises to evaluate the effectiveness of our information security program and improve our security measures and planning. The results of these assessments are reported to our Audit Committee.

Our systems periodically experience directed attacks intended to lead to interruptions and delays in our service and operations as well as loss, misuse or theft of personal information (of third parties, employees, and our members) and other data, confidential information or intellectual property. However, to date these incidents have not had a material impact on our service, systems or business. Any significant disruption to our service or access to our systems could adversely affect our business and results of operation. Further, a penetration of our systems or a third-party’s systems or other misappropriation or misuse of personal information could subject us to business, regulatory, litigation and reputation risk, which could have a negative effect on our business, financial condition and results of operations.

Our Vice President of Information Technology leads our internal IT team and is responsible for overseeing our information security program. Team members who support our information security program have relevant educational and industry experience . Our IT team members provides regular reports to senior management and other relevant teams on various cybersecurity threats, assessments and findings.

We also participate in a cybersecurity risk insurance policy.

For additional information regarding cybersecurity threats that may materially affect the Company, including our business strategy, results of operations, or financial condition, please refer to Item 1A, “Risk Factors,” in this Annual Report on Form 10-K , including the risk factor entitled “If we experience a significant disruption in our information

23


 

technology systems, including security breaches, or if we fail to implement new systems and software successfully, our business operations and financial condition could be adversely affected.

Governance

One of the functions of our Board of Directors is informed oversight of our risk management process, including risks from cybersecurity threats. Our Board of Directors is responsible for monitoring and assessing strategic risk exposure, and our executive officers are responsible for the day-to-day management of the material risks we face. Our Board of Directors administers its cybersecurity risk oversight function directly as a whole and through its committees. Particularly, the Audit Committee of the Board of Directors oversees our cybersecurity risk and receives regular reports from our Vice President of Information Technology on various cybersecurity matters, including risk assessments, mitigation strategies, areas of emerging risks, incidents and industry trends, and other areas of importance.