ICAD INC - (ICAD)
10-K Filing Date: March 29, 2024
Cybersecurity
Risk management and strategy
The Company recognizes the critical importance of developing, implementing, and maintaining robust cybersecurity measures to safeguard our information systems and protect the confidentiality, integrity, and availability of data.
Managing Material Risks & Integrated Overall Risk Management
The Company has strategically integrated cybersecurity risk management into our broader risk management framework to promote a company-wide culture of cybersecurity risk management. This integration ensures that cybersecurity considerations are an integral part of our decision-making processes at every level. Our management team works closely with our IT department to continuously evaluate and address cybersecurity risks in alignment with our business objectives and operational needs.
Engage Third-parties on Risk Management
Recognizing the complexity and evolving nature of cybersecurity threats, we engage with a range of external experts, including cybersecurity consultants, to evaluate and test our risk management systems. These partnerships enable us to leverage specialized knowledge and insights, and ensure our cybersecurity strategies and processes remain at the forefront of industry best practices. Our collaborations with these third-parties include threat assessments and security enhancement consultations.
Oversee Third-party Risk
Because we are aware of the risks associated with third-party service providers, we implement stringent processes to oversee and manage these risks. We conduct thorough security assessments of all third-party providers before engagement and maintain ongoing monitoring to ensure compliance with our cybersecurity standards. The monitoring includes ongoing assessments by our security analysts. This approach is designed to mitigate risks related to data breaches or other security incidents originating from third-parties.
Risks from Cybersecurity Threats
We have not encountered cybersecurity challenges that have materially impaired our operations or financial standing.
Governance
The Board is acutely aware of the critical nature of managing risks associated with cybersecurity threats. The Board has established robust oversight mechanisms to ensure effective governance in managing risks associated with cybersecurity threats because we recognize the significance of these threats to our operational integrity and stakeholder confidence.
Board of Directors Oversight
The Audit Committee of the Board (the "Audit Committee") is central to the Board’s oversight of cybersecurity risks and bears the primary responsibility for this domain. The Audit Committee is composed of board members with diverse expertise including, risk management, technology, and finance, equipping them to oversee cybersecurity risks effectively.
Management’s Role Managing Risk
The Chief Product Officer (the "CPrO"), the Chief Technology Officer (the "CTO"), the Chief Operations Officer (the "COO"), and the Chief People Officer (the "CPO") form the Risk Management team (the "RMT"). The RMT and the Chief Executive Officer (“CEO”) play a pivotal role in informing the Audit Committee on cybersecurity risks. They provide comprehensive briefings to the Audit Committee on a regular basis, with a minimum frequency of once per year. These briefings encompass a broad range of topics, including:
● | Current cybersecurity landscape and emerging threats; | |
● | Status of ongoing cybersecurity initiatives and strategies; | |
● | Incident reports and learnings from any cybersecurity events; and | |
● | Compliance with regulatory requirements and industry standards. |
In addition to our scheduled meetings, the Audit Committee, RMT, and CEO maintain an ongoing dialogue regarding emerging or potential cybersecurity risks. Together, they receive updates on any significant developments in the cybersecurity domain, ensuring the Board’s oversight is proactive and responsive. The Audit Committee actively participates in strategic decisions related to cybersecurity, offering guidance and approval for major initiatives. This involvement ensures that cybersecurity considerations are integrated into the broader strategic objectives of the Company. The Audit Committee conducts an annual review of the company’s cybersecurity posture and the effectiveness of its risk management strategies. This review helps in identifying areas for improvement and ensuring the alignment of cybersecurity efforts with the overall risk management framework.
Risk Management Personnel
Primary responsibility for assessing, monitoring and managing our cybersecurity risks rests with the RMT. With deep experience in technology, operations, security, compliance and risk management, the RMT brings a wealth of expertise in enterprise cybersecurity and are instrumental in developing and executing our cybersecurity strategies. The RMT oversees our governance programs, tests our compliance with standards, remediates known risks, and leads our employee training program.
Monitor Cybersecurity Incidents
The RMT is continually informed about the latest developments in cybersecurity, including potential threats and innovative risk management techniques. This ongoing knowledge acquisition is crucial for the effective prevention, detection, mitigation, and remediation of cybersecurity incidents. The RMT implements and oversees processes for the regular monitoring of our information systems. This includes the deployment of advanced security measures and regular system audits to identify potential vulnerabilities. In the event of a cybersecurity incident, the RMT is equipped with a well-defined incident response plan. This plan includes immediate actions to mitigate the impact and long-term strategies for remediation and prevention of future incidents.
Reporting to Board of Directors
The RMT regularly informs the CFO and CEO of all aspects related to cybersecurity risks and incidents. This ensures that the highest levels of management are kept abreast of the cybersecurity posture and potential risks facing the Company Furthermore, significant cybersecurity matters, and strategic risk management decisions are escalated to the Board, ensuring that they have comprehensive oversight and can provide guidance on critical cybersecurity issues.
See “Item 1A. General Risk Factors – Security breaches and other disruptions could compromise the Company’s information and expose the Company to liability, which would cause its business and reputation to suffer and could subject it to substantial liabilities.” for more information.