Paragon 28, Inc. 10-K Cybersecurity GRC - 2024-02-29

Page last updated on April 11, 2024

Paragon 28, Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-02-29 16:02:47 EST.

Filings

10-K filed on 2024-02-29

Paragon 28, Inc. filed an 10-K at 2024-02-29 16:02:47 EST
Accession Number: 0000950170-24-023050

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity. Cybersecurity Risk Management and Strategy We recognize the critical importance of safeguarding our information systems and data against evolving cybersecurity threats. Our program is based on the National Institute of Standards and Technology Cybersecurity Framework (NIST CSF). This does not imply that we meet any particular technical standards, specifications, or requirements, only that we use the NIST CSF as a guide to help us identify, assess, and manage cybersecurity risks relevant to our business. To protect our information systems from cybersecurity threats, we use various security tools that help prevent, identify, escalate, investigate, resolve, and recover from identified vulnerabilities and security incidents in a timely manner. These include, but are not limited to, preventative tools and technologies, monitoring and detection tools, and regular backup protocols. Additionally, we regularly engage external auditors and consultants to assess our internal cybersecurity programs and compliance with applicable practices and standards. The results of these assessments are reported to the Audit Committee. We assess risks from cybersecurity and technology threats and monitor our information systems for potential vulnerabilities. We use a widely adopted risk quantification model to identify, measure and prioritize cybersecurity and technology risks and develop remediation or mitigation controls and safeguards. We conduct regular reviews and tests of our information security program including penetration and vulnerability testing to evaluate the effectiveness of our information security program and improve our security measures and planning. Our cybersecurity risk management program includes: Risk Assessment: Regular assessments identify and prioritize technical risks to critical assets through threat identification and vulnerability assessments. Risk Identification and Analysis: Prioritization of risks is based on standardized scoring frameworks, focusing resources on addressing the most significant threats. Risk Mitigation and Management: A range of controls and measures are implemented to mitigate identified risks, incorporating technical and procedural safeguards. Monitoring and Detection: Continuous monitoring systems are deployed to detect potential security incidents in real-time, ensuring a 24x7x365 capability to respond and mitigate. Cybersecurity Training and Awareness: New hire, annual, and ongoing security awareness training is given to all employees. Incident Response: A cybersecurity incident response plan that includes procedures for responding to cybersecurity incidents. Continuous Improvement: Commitment to continuous improvement is reflected in regular reviews, updates of risk assessments, and simulated cyberattacks to identify and remediate risks from existing and emerging threats. There can be no assurance that our cybersecurity risk management program and processes, including our policies, controls, or procedures, will be fully implemented, complied with or effective in protecting our systems and information. We have not identified risks from known cybersecurity threats, including as a result of any prior cybersecurity incidents, that have materially affected or are reasonably likely to materially affect us, including our operations, business strategy, results of operations, or financial condition. Cybersecurity Governance Cybersecurity is an important part of our risk management processes and an area of focus for our Board and management. Our Audit Committee is responsible for the oversight of risks from cybersecurity threats. Members of the Audit Committee receive updates on a quarterly basis from senior management, including leaders from our Information Security and Legal teams regarding matters of cybersecurity. This includes existing and new cybersecurity risks, status on how management is addressing and/or mitigating those risks, cybersecurity, and data privacy incidents (if any) and status on key information security initiatives. Our management team, including the Director of IT Security, is responsible for assessing and managing our material risks from cybersecurity threats. The team has primary responsibility for our overall cybersecurity risk management program and supervises both 81 our internal cybersecurity personnel and our retained external cybersecurity consultants. Our management team s experience includes over 20 years of Information Security experience, including serving in similar roles leading and overseeing cybersecurity programs at other public companies. Our management team supervises efforts to prevent, detect, mitigate, and remediate cybersecurity risks and incidents through various means, which may include briefings from internal security personnel; threat intelligence and other information obtained from governmental, public, or private sources, including external consultants engaged by us; and alerts and reports produced by security tools deployed in the IT environment.

Company Information