SI-BONE, Inc. 10-K Cybersecurity GRC - 2024-02-27

Page last updated on April 11, 2024

SI-BONE, Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-02-27 16:03:40 EST.

Filings

10-K filed on 2024-02-27

SI-BONE, Inc. filed an 10-K at 2024-02-27 16:03:40 EST
Accession Number: 0001459839-24-000014

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity Risk management and strategy We recognize the importance of protecting our critical information technology ( IT ) systems and data from material risks from cybersecurity threats. Risk management for cybersecurity threats is integrated into our overall enterprise risk management system. We consider cybersecurity risks alongside other business risks. Our risk management framework includes risk assessments, internal controls, and systems monitoring mechanisms. We have established processes designed to assess, identify, and manage material risks from cybersecurity threats to our IT systems and critical data, including intellectual property, confidential information, and personal 58 data ( Information Systems and Data ). Third parties also play a role in our cybersecurity efforts. We engage third-party services to assist us from time to time to conduct evaluations of our security controls, whether through penetration testing, independent audits or consulting on practices to address new challenges. We conduct audits and evaluations of our IT infrastructure, network architecture, and software applications to help us identify vulnerabilities, potential entry points, and areas for improvement. We perform assessments considering principles from the National Institute of Standards and Technology Cybersecurity Framework and by using an external third-party security assessor from time to time. Depending on the environment, we employ strategies and practices designed to protect and mitigate cybersecurity material risks to our Information Systems and Data, including but not limited to: Utilizing third-party tools to monitor threats and cybersecurity vulnerabilities, reduce risk, and enhance governance, risk, and compliance management. Engaging a managed cybersecurity service provider to monitor and assess cybersecurity threats, serve as a point of contact for incident notification, and collaborate with our in-house IT team. Maintaining security policies, procedures, and standards considering evolving threats and industry standards. Engaging external subject matter experts and advisors to inform us of current cyber practices, policies, and programs. Conducting tabletop exercises focused on scenarios such as ransomware, disaster recovery, and business continuity. Providing mandatory annual security and privacy awareness training to all employees who have access to company email and connected devices. Conducting phishing simulations and cyber hygiene training sessions to educate employees and promote responsible cybersecurity practices. Maintaining an incident response plan and conducting tabletop exercises. We have established an incident response team, which is led by our IT, legal, and compliance leaders and is comprised of stakeholders from various departments in the Company. A designated member from our IT team is responsible for conducting incident assessments, determining severity levels, informing relevant stakeholder, such as the incident response team and senior management, and maintaining documentation of the remediation activity. In the event of a security incident, our incident response processes are designed to escalate certain cybersecurity incidents to senior leadership, the audit committee and the board of directors, as deemed appropriate. Governance Our audit committee is responsible for overseeing our cybersecurity risk management processes, including regarding cybersecurity threats. Our CFO, Anshul Maheshwari, and Senior Vice President of Operations & Technology, Jeff Bertolini, provide briefings to our audit committee on the effectiveness and progress of our cybersecurity risk management program on regular basis. Mr. Bertolini has completed the Chief Technology Officer program at the Wharton School of the University of Pennsylvania and has over 30 years of experience leading all aspects of operations and IT. Our board of directors receives regular reports from our audit committee chair regarding our cyber risk management programs, potential cybersecurity risks, efforts to mitigate such risks, and the audit committee s oversight of these activities. For a description of the risks from cybersecurity threats that may materially affect the Company and how they may do so, see Item 1A. Risk Factors , including If we experience significant disruptions in our information technology systems, our business, results of operations, and financial condition could be adversely affected".

Company Information