Pulmonx Corp 10-K Cybersecurity GRC - 2024-02-27

Page last updated on April 11, 2024

Pulmonx Corp reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-02-27 16:07:51 EST.

Filings

10-K filed on 2024-02-27

Pulmonx Corp filed an 10-K at 2024-02-27 16:07:51 EST
Accession Number: 0001127537-24-000024

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBERSECURITY Risk management and strategy We have implemented and maintain various information security processes designed to identify, assess, and manage material risks from cybersecurity threats to our critical computer networks, third-party hosted services, communications systems, hardware and software, and critical data, including intellectual property, and confidential information that is proprietary, strategic or competitive in nature ( Information Systems and Data ). Our assessment, identification and management of material risks from cybersecurity threats are integrated into the Company s overall risk management processes. We rely on a multidisciplinary team, including our information technology department, legal department, management, engineering operations, and third-party service providers (the Security Function ) to help assess, identify and manage the Company s cybersecurity threats and risks. Various members of the Security Function monitor and evaluate our cybersecurity threat environment using various methods including, for example, using manual and automated tools, subscribing to reports and services that identify cybersecurity threats, analyzing reports of threats and threat actors, conducting scans of the threat environment, and evaluating threats reported to us. Depending on the environment, we implement and maintain various technical, physical, and organizational measures, processes, standards, and policies designed to manage and mitigate material risks from cybersecurity threats to our Information Systems and Data, including, for example, an incident response plan, risk assessments, incident detection and response, vulnerability management, encryption of data, network security controls, data segregation, access controls, physical security, systems monitoring, employee training, cybersecurity insurance, and asset management, tracking and disposal. We work with third-parties from time to time to assist us to identify, assess, and manage risks from cybersecurity threats, including, for example, professional services firms, including outside legal counsel, cybersecurity consultants, and cybersecurity software providers. We use certain third-party service providers to perform a variety of functions that help us operate our business, such as application providers, hosting companies, contract research organizations, distributors, and supply chain resources. Depending on the nature of the services provided, the sensitivity and information processed, and the identity of the service provider, our vendor management process may include different levels of assessment designed to help identify cybersecurity risk associated with a provider. Such assessments include, for example, reviewing the written security program of such provider and conducting security assessments and audits. See Part I, Item 1A, Risk Factors for a description of the risks from cybersecurity threats that may materially affect the Company and how they may do so, including the risk factor titled, If our information technology systems or data, or those third parties upon which we rely, are or were compromised, we could experience adverse impacts resulting from such compromise, including, but not limited to, interruptions to our operations such as our clinical trials, claims that we breached our data protection obligations, harm to our reputation, and a loss of customers or sales . Governance Our board of directors address the Company s cybersecurity risk management as part of its general oversight function. The board of directors Audit Committee is responsible for overseeing the Company s cybersecurity risk management processes, including the Company s oversight and mitigation of risks from cybersecurity threats. 88 Table of Contents Our cybersecurity risk assessment and management processes are implemented and maintained by certain members of Company management, including the Senior Director of Information Technology, who has worked in various roles responsible for securing networks and application systems, the Chief Executive Officer, the General Counsel, the Interim Chief Financial Officer, and the VP of Finance and Administration. These members of management are responsible for hiring appropriate personnel, integrating cybersecurity risk considerations into the Company s overall risk management strategy, and communicating key priorities to relevant personnel. They are also responsible for approving budgets, helping to prepare for cybersecurity incidents, approving cybersecurity processes, and reviewing security assessments and other security-related reports. When incidents are identified, these members of management are responsible for determining whether such incidents are material and may escalate material incidents to the Audit Committee and/or investors, based on the particular circumstances. The Audit Committee receives periodic updates from management concerning the Company s significant cybersecurity threats, risks, and the processes the Company has implemented to address them. In addition, the Audit Committee and management maintain an ongoing dialogue regarding emerging or potential cybersecurity risks.

Company Information