TACTILE SYSTEMS TECHNOLOGY INC 10-K Cybersecurity GRC - 2024-02-20

Page last updated on April 11, 2024

TACTILE SYSTEMS TECHNOLOGY INC reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-02-20 07:55:29 EST.

Filings

10-K filed on 2024-02-20

TACTILE SYSTEMS TECHNOLOGY INC filed an 10-K at 2024-02-20 07:55:29 EST
Accession Number: 0001558370-24-001330

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity. Risk Management and Strategy We recognize the critical importance in developing, implementing and maintaining robust cybersecurity measures and processes that are designed to safeguard our information systems and to assess, identify and manage material risks from cybersecurity threats. The fundamental controls of our cybersecurity program are based around the National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF). We engage qualified third-party consultants and advisors to conduct risk and vulnerability assessments to evaluate our systems and to advise us on cybersecurity risk management processes. We maintain a robust vulnerability-management program to evaluate our systems on a monthly basis, and we prioritize remediation efforts based on risk level and criticality of the system or data. We conduct comprehensive penetration testing with external consultants on our enterprise environment and our own products on at least an annual basis. Cybersecurity risk management is an integral part of our technology modernization program. It is integrated into our business, as well as the broader software and digital environment. Our technology modernization program will move many of our core applications to industry-specific healthcare cloud solutions that offer robust HIPAA compliant, data security capabilities and tools. Our modernization plans revolve around simplifying our technology estate to reduce technical debt, automate security functions, and enable applications to take full advantage of best-practice, cloud security capabilities. Our cybersecurity risk management process includes assessment of third-party service providers, suppliers and other business partners ability to maintain compliance with our cybersecurity requirements, including review of Service Organization Control Type 2 ( SOC 2 ) reports and security controls. Our onboarding process for any third-party service provider includes execution of a business associate agreement that defines the service provider s responsibility to notify us in the event of any known or suspected cyber incident. We maintain a thorough business continuity and resilience program designed to ensure our operations will withstand significant disruption and minimize impact on our patients and employees in the face of a significant challenge. Using standards developed by Disaster Recovery Institute International (DRII), we regularly conduct a business impact analysis to determine risk level, assess impact severity and prioritize business processes based on company needs. 68 Table of Contents As part of our monitoring process, we perform tabletop exercises at least annually to test our current plans. These cross-functional exercises involve employees from multiple departments and are designed to gain perspective, collect feedback and validate plan effectiveness. The information obtained from the business impact analysis, exercises and testing is utilized to update contingency plans for each department. While we have experienced cybersecurity incidents and expect to continue to be subject to such incidents, to date, we have not experienced any cybersecurity incidents that have materially affected our business strategy, results of operations or financial condition. However, we are subject to ongoing risks from cybersecurity threats that could materially affect us, including our business strategy, results of operations, or financial condition, as further described in Part I, Item 1A, “Risk Factors” of this Annual Report on Form 10-K. Governance The Audit Committee of the Board of Directors oversees our cybersecurity and risk management programs, and receives updates from our Information Security and Compliance teams regarding the effectiveness of these programs on a quarterly basis. These reports include descriptions of security incidents and observed trends in threat activity, new programs and tooling designed to address developing areas of risk, and performance reporting of third-party testing, including security awareness training and cybersecurity assessments. The full Board of Directors has general oversight of the Company s risk management programs, which include cybersecurity risks, and the Audit Committee provides regular reports to the full Board of Directors related to cybersecurity matters and related risk oversight. The Company s Director of Information Security reports to our Chief Information Officer. Our Director of Information Security is responsible for our cybersecurity program, develops and publishes security policies and procedures, and reports to the Audit Committee on the effectiveness of our security program. Our Director of Information Security has 24 years of technology leadership experience, including 18 years directly overseeing cybersecurity programs in the healthcare device manufacturing industry, and holds the Certified Information Systems Security Professional (CISSP) certification. Our Director of Information Security is responsible for the Company s Information Security Awareness Program, which includes security training for new hires and ongoing education for all staff, including annual refresher training and periodic bulletins regarding security risks. Security awareness email testing is performed on a monthly basis, with employee performance reported to management for inclusion in performance evaluations. Our Director of Information Security also performs risk assessments of third-party partners, including reviews of SOC 2 reports.

Company Information