IRIDEX CORP - (IRIX)
10-K Filing Date: March 29, 2024
Risk Management and Strategy
We have established policies and processes for assessing, identifying, and managing material risk from cybersecurity threats, and have integrated these processes into our overall risk management systems and processes. We routinely assess material risks from cybersecurity threats, including any potential unauthorized occurrence on or conducted through our information systems that may result in adverse effects on the confidentiality, integrity, or availability of our information systems or any information residing therein. Process documentation is maintained by third party software provider through our document control department.
We conduct periodic risk assessments to identify cybersecurity threats and cybersecurity incidents, as well as assessments in the event of a material change in our business practices that may affect information systems that are vulnerable to such cybersecurity threats. These risk assessments include identification of reasonably foreseeable internal and external risks, the likelihood and potential damage that could result from such risks, and the sufficiency of existing policies, procedures, systems, and safeguards in place to manage such risks.
Following these risk assessments, we re-design, implement, and maintain reasonable safeguards to minimize identified risks; we reasonably address any identified gaps in existing safeguards; and we regularly monitor the effectiveness of our safeguards. We devote our resources and designate high-level personnel, including our internal Senior IT manager who reports to our Chief Operational Officer, to manage the risk assessment and mitigation process.
As part of our overall risk management system and in collaboration with human resources, IT, and management, we monitor, test, and train our employees on our safeguards. We inform and train personnel across all levels of our cybersecurity policies.
We engage third parties in connection with our risk assessment processes. These service providers assist us to design and implement our cybersecurity policies and procedures, as well as to monitor and test our safeguards. We require each third-party service provider to certify that it has the ability to implement and maintain appropriate security measures, consistent with all applicable laws, to implement and maintain reasonable security measures in connection with their work with us, and to promptly report any suspected breach of its security measures that may affect our company.
Governance
37
The audit committee of our Board of Directors (the “Audit Committee”) has oversight responsibility for risks and incidents relating to cybersecurity threats, including compliance with disclosure requirements, cooperation with law enforcement, and related effects on financial and other risks, and it reports any findings and recommendations, as appropriate, to the full Board for consideration. Senior management regularly discusses cyber risks and trends and, should they arise, any material incidents with the Audit Committee.
Our business strategy, results of operations and financial condition have not been materially affected by risks from cybersecurity threats, including as a result of previously identified cybersecurity incidents, but we cannot provide assurance that they will not be materially affected in the future by such risks or any future material incidents. For more information on our cybersecurity related risks, see Item 1A Risk Factors of this Annual Report on Form 10-K.