GLAUKOS Corp 10-K Cybersecurity GRC - 2024-02-23

Page last updated on April 11, 2024

GLAUKOS Corp reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-02-23 17:23:59 EST.

Filings

10-K filed on 2024-02-23

GLAUKOS Corp filed an 10-K at 2024-02-23 17:23:59 EST
Accession Number: 0001558370-24-001630

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBERSECURITY Risk Management and Strategy We recognize the importance of maintaining the security of our information systems and assets, and have several cybersecurity processes and controls designed to identify, assess and manage the risks associated with cybersecurity threats and cybersecurity incidents. Risk Management Systems and Processes To identify and assess material risks from cybersecurity threats, our enterprise risk management program considers cybersecurity threat risks alongside other company risks as part of our overall risk assessment process. Our enterprise risk management program is administered by the Company s legal and internal audit functions, and facilitates the process of identifying and assessing cybersecurity threat risks, as well as monitoring the effectiveness of our risk mitigation efforts. During the year, our senior management periodically identifies the cybersecurity risks facing the Company and reviews our mitigation plans related to these risks. These senior leaders conduct an evaluation of the severity of these identified risks and any changes to this risk level or the Company s mitigation efforts since the prior evaluation. The severity of risks is measured based upon the potential adverse impact that could result, the immediacy of the threat and the availability of mitigating factors, among other elements. Management may consult with outside 34 Table of Contents consultants, such as legal counsel or cybersecurity advisors, in assessing risks and developing mitigation plans. Both the Audit Committee and the full Board regularly receive reports from such outside experts in response to emerging or higher risk areas. We also have specific cybersecurity risk assessment processes which help identify our cybersecurity threat risks, including a comparison of our processes to industry standards as well as periodic third-party assessments of our programs. We compare our Information Security Program with industry standards including the National Institute of Standards and Technology Cybersecurity Framework (NIST CSF) and ISO 27001. In order to enhance internal expertise, members of our Information Technology (IT) department maintain various cybersecurity-related certifications. We also maintain written incident response and security policies that seek to ensure we are protected and ready to respond should a security incident occur. Incidents are investigated and analyzed for potential impact. If impact is present, the appropriate departments, key employees, and executive management team members are notified as part of the incident response process. Our incident response plan coordinates the activities we would take to respond to and recover from cybersecurity incidents, which include processes to triage, assess severity of, escalate, contain, investigate, and remediate the incident, as well as to comply with potentially applicable legal obligations and mitigate potential liability and reputational damage. If appropriate, incidents may be reported to senior management, the Audit Committee or the full Board. To provide for the availability of critical data and systems, maintain regulatory compliance, manage our material risks from cybersecurity threats, and to protect against, detect, and respond to cybersecurity incidents, we undertake the activities listed below: closely monitor emerging data protection laws and implement responsive changes to our processes; conduct annual cybersecurity training for all employees and contractors who use our systems; conduct regular email phishing testing exercises for all employees to enhance awareness and responsiveness to such possible threats; require employees, as well as contractors who have access to our systems or the data of our employees or customers, to treat information as confidential; schedule tabletop exercises to simulate a response to a cybersecurity incident and use the findings to improve our processes, technologies and incident response plan; and carry cyber risk insurance that provides protection (as specified in the applicable policies) against certain potential costs and losses arising from a cybersecurity incident. Engagement of Third Parties As part of the above processes, we regularly engage with assessors, consultants, and other third-parties to review our cybersecurity program. These reviews are intended to evaluate the effectiveness and robustness of the security measures implemented in our networks and information systems, identifying potential vulnerabilities, performance improvements, and recommended improvement strategies. These security assessments may focus on key areas such as user access controls, data encryption processes, auditing and monitoring of database activities, system and server configuration and update procedures. Threats from Third Party Service Providers Our processes also address cybersecurity threat risks associated with our use of third-party software and system providers. Third-party risks are included within our enterprise risk management assessment program, which is discussed above. In addition, cybersecurity considerations affect the selection and oversight of our third-party service providers. We perform diligence on high-risk third-parties that provide us software or have access to our systems or highly sensitive information, and monitor cybersecurity threat risks identified through such diligence. New software is evaluated for risk and approved by our internal Software Approval Board before purchase or installation on our systems. 35 Table of Contents We formed a Software Approval Board, which is made up of cross-functional members from Quality, Internal Audit, Information Security, Business Systems, and R&D, to help determine risk and impact of any potential newly proposed software. Additionally, we generally require those high risk third parties to agree by contract to manage their cybersecurity risks in specified ways. This approach is designed to mitigate risks related to data breaches or other security incidents originating from third parties. Material Impact of Cybersecurity Threats or Incidents We describe whether and how risks from identified cybersecurity threats, including as a result of any previous cybersecurity incidents, have materially affected or are reasonably likely to materially affect us, including our business strategy, results of operations, or financial condition, under the heading Risks Related to our Business, included as part of our risk factor disclosures at Item 1A of this Annual Report, which disclosures are incorporated by reference herein. We are not aware of any material cybersecurity incidents that have occurred in the last three fiscal years, and the expenses we have incurred from cybersecurity incidents were immaterial. This includes penalties and settlements, of which there were none. Governance Cybersecurity is an important part of our risk management processes and an area of increasing focus for our Board and management. Board Oversight The Audit Committee of our Board is responsible for the oversight of risks from cybersecurity threats. At least twice a year, the Audit Committee receives a report from the head of Information Technology of our cybersecurity threat risk management and mitigation strategy covering topics such as data security posture, results from third-party assessments, progress towards pre-determined risk-mitigation-related goals, our incident response plan, and potentially material cybersecurity threat risks or incidents, as well as the steps management has taken to respond to such risks. In such sessions, the Audit Committee generally receives information describing current and emerging material cybersecurity threat risks, and describing the company s plans to mitigate those risks, and discusses such matters with our head of IT and other members of senior management. Potentially material cybersecurity threat risks are also considered during separate Board discussions of important matters like enterprise risk management. Two members of our Board, including one member of the Audit Committee, have earned cybersecurity certifications to help them identify cybersecurity threats and oversee management s efforts to manage and mitigate them. Management Oversight While the Audit Committee reviews and oversees the Company s information security efforts, senior leadership is responsible for the day-to-day management of cybersecurity risk and the design and implementation of policies, processes and procedures to identify and mitigate this risk. Our cybersecurity risk management and strategy processes, which are discussed in greater detail above, are led by our Legal department and our Internal Audit department, working with our IT department. These members of management are informed about and monitor the prevention, mitigation, detection, and remediation of cybersecurity incidents through their management of, and participation in, the cybersecurity risk management and strategy processes described above, including the operation of our incident response plan. 36 Table of Contents

Company Information