VAPOTHERM INC 10-K Cybersecurity GRC - 2024-02-22

Page last updated on April 11, 2024

VAPOTHERM INC reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-02-22 16:16:02 EST.

Filings

10-K filed on 2024-02-22

VAPOTHERM INC filed an 10-K at 2024-02-22 16:16:02 EST
Accession Number: 0000950170-24-018788

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity. We understand the importance of preventing, assessing, identifying, and managing material risks associated with cybersecurity threats. Cybersecurity processes to assess, identify and manage risks from cybersecurity threats have been incorporated as a part of our overall risk assessment process and have been embedded in our operating procedures, internal controls and information systems. On a regular basis, we implement into our operations these cybersecurity processes, technologies, and controls to assess, identify and manage material risks. Specifically, we engage a third-party cybersecurity firm to assist with network and endpoint monitoring, cloud system monitoring and assessment of our incident response procedures. Further, we employ periodic penetration testing and tabletop exercises to inform our risk identification and assessment of material cybersecurity threats. To manage our material risks from cybersecurity threats and to protect against, detect, and prepare to respond to cybersecurity incidents, we: Monitor emerging data protection laws and implement changes to our processes to comply Conduct periodic customer data handling and use requirement training for our employees Conduct periodic vulnerability assessments and mitigate vulnerabilities for our systems and processes that include sensitive data; Conduct regular security awareness trainings and phishing simulation attacks Carry cybersecurity risk insurance that provides protection against the potential losses arising from a cybersecurity incident; and Perform periodic gap analyses to review our cybersecurity controls for gaps and implement the closure actions Our incident response plan coordinates the activities that we and our third-party cybersecurity provider take to prepare to respond and recover from cybersecurity incidents, which include processes to triage, assess severity, investigate, escalate, contain, and remediate an incident, as well as to comply with potentially applicable legal obligations and mitigate brand and reputational damage. As part of the above processes, we engage with consultants to review our cybersecurity program to help identify areas for continued focus, improvement, and compliance. Our processes also include assessing cybersecurity threat risks associated with our use of third-party services providers in normal course of business use, including those in our supply chain or who have access to our customer and employee data or our systems. Third-party risks are included within our risk management process discussed above. In addition, we assess cybersecurity considerations in the selection and oversight of our third-party services providers, including due diligence on the third parties that have access to our systems and facilities that house systems and data. Management has implemented risk management structures, policies and procedures, and manages our risk exposure on a day-to-day basis. We have a cybersecurity organization within our information technology department that focuses on current and emerging cybersecurity matters and leverages cybersecurity consultants and third-party cybersecurity firms. Our cybersecurity function is led by our Chief Financial Officer, who reports to our Chief Executive Officer. Our Chief Financial Officer and cybersecurity organization are actively involved in assessing and managing cybersecurity risks. They are responsible for implementing cybersecurity policies, programs, procedures, and strategies. 73 Our Audit Committee of the Board of Directors is responsible for oversight of our risk assessment, risk management, disaster recovery procedures and cybersecurity risks. Periodically during each year, the Audit Committee receives an overview from our Chief Financial Officer of our cybersecurity threat risk management and strategy processes, including potential impact on the Company, the efforts of management to manage the risks that are identified and our disaster recovery preparations. Members of the Board of Directors regularly engage in discussions with management on cybersecurity-related news events and discuss any updates to our cybersecurity risk management and strategy programs. As of the date of this filing, we do not believe that our business strategy, results of operations or financial conditions have been materially affected by any cybersecurity incidents for the reporting period covered by this report. However, companies like us, as well as our employees, service providers and other third parties, have experienced information security and cybersecurity attacks in the past and will likely continue to be the target of cyber actors. We describe whether and how risks from identified cybersecurity threats have or that are reasonably likely to affect our financial position, results of operations and cash flows, under the heading Risks Related to Our Business included as part of our Item 1A. Risk Factors of this Annual Report on Form 10-K, which disclosures are incorporated by reference herein.

Company Information