Inogen Inc 10-K Cybersecurity GRC - 2024-03-01

Page last updated on April 11, 2024

Inogen Inc reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-03-01 16:01:38 EST.

Filings

10-K filed on 2024-03-01

Inogen Inc filed an 10-K at 2024-03-01 16:01:38 EST
Accession Number: 0000950170-24-023820

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CY BERSECURITY Introduction: The medical device industry faces unique cybersecurity challenges, given the sensitive nature of the data and the critical role of devices in patient care. Cybersecurity, data privacy, and data protection are critical to our business. In the ordinary course of our business, we collect and store certain confidential information such as information about our employees, contractors, vendors, suppliers, patients and customers. We remain committed to implementing robust security measures to protect against potential cyber threats and vulnerabilities that are constantly evolving across the globe. Risk Management and Strategy: We have processes for assessing, identifying, and managing cybersecurity threats, and cybersecurity is an integral part of our overall enterprise risk management program which is overseen by our Audit Committee and the Board. Our strategy includes a comprehensive cybersecurity framework, utilizing advanced technologies and methodologies, such as cloud migrations and deployment of threat detection tools to effectively mitigate potential risks. Continuous risk assessments help us better refine our strategy, guiding the deployment of technical safeguards and shaping our incident response plans. For acquired companies, our integration strategies prioritize establishing comprehensive timelines for harmonizing information security, data privacy, and cybersecurity practices. This includes a strong focus on aligning employee education programs to ensure a seamless transition and uphold security and privacy standards across our entities. Our cybersecurity infrastructure is based on a multi-layered defense framework, aligned with the U.S. National Institute of Standards and Technology (NIST) guidelines. We take a risk-based approach to cybersecurity, which begins with the identification and evaluation of cybersecurity risks or threats that could affect our operations, finances, legal or regulatory compliance, or reputation. The scope of our evaluation encompasses risks that may be associated with both our internally managed IT systems and key business functions and sensitive data operated or managed by third-party service providers, ensuring the service providers adhere to our security standards, thereby safeguarding our integrated operations. The strategic migration of our data centers and infrastructure to secure cloud environments, coupled with the implementation of targeted technical cybersecurity measures, underscores our dedication to establishing foundational security across our users, applications, data, systems, and networks. We have established a comprehensive incident response plan to swiftly address and recover from cybersecurity incidents, minimizing operational impact. We conduct regular trainings and simulations to enhance our team’s awareness and preparedness against cyber threats. Biannual penetration testing and regular assessments by external experts validate the effectiveness of our cybersecurity measures. Our proactive approach to addressing identified vulnerabilities affirms the continuous improvement of our security posture. Use of Consultants and Advisors: We engage various third-party cybersecurity service providers to assess and enhance our cybersecurity practices and assist with protection and monitoring of our systems and information, including with respect to, network monitoring, endpoint protection, vulnerability assessments and penetration testing. We engage cybersecurity consultants, auditors, and other third parties to assess and enhance our cybersecurity practices, such as a third-party consulting firm to evaluate our cyber processes including an assessment of our incident response procedures. We have processes to evaluate third-party service providers and vendors that have access to sensitive systems and company and customer data, which may include due diligence procedures such as assessments of that service provider s cybersecurity posture or a recommendation of specific mitigation controls. Following an assessment, we determine and prioritize service provider risk based on potential threat impact and likelihood, and such risk determinations drive the level of due diligence and ongoing compliance monitoring required for each service provider. Board Oversight and Management s Role: The Board of Directors, both directly and through the delegation of responsibilities to the Audit Committee oversees the proper functioning of our cybersecurity risk management program to ensures strategic alignment and governance of our cybersecurity efforts at the highest level. In particular, the Audit Committee assists the Board in its oversight of management s responsibility to assess, manage and mitigate risks associated with our business and operational activities, to administer our various compliance programs, in each case including cybersecurity concerns, and to oversee our information technology systems, processes and data. 61 Management has implemented risk management structures, policies and procedures, and Management is responsible for our day-to-day cybersecurity risk management. Our Chief Data and Information Officer (CDIO) is responsible for our day-to-day assessment and management of cybersecurity risks. Our Enterprise Enablement function facilitates a cross-departmental approach, ensuring the executive leadership team receives quarterly updates on cybersecurity from various teams. This strategy promotes a comprehensive stakeholder engagement and enhances management oversight on cybersecurity. The updates cover progress on ongoing cybersecurity initiatives, insights from any potential threats or incidents, outputs and action plans from external vulnerability and penetration tests, and key performance metrics in line with industry standards. Risks from Material Cybersecurity Threats: Despite ongoing threats like cyber-attacks, phishing, and ransomware, we have not identified any cybersecurity threats that have materially affected or are reasonably anticipated to have a material effect on our business strategy, results of operations or financial condition. Our proactive security measures, alongside those of our third-party vendors, aim to protect our information technology systems and the sensitive data they hold. Although these risks have not yet materially impacted our business, we remain vigilant, continuously monitoring and adapting to evolving cybersecurity threats.

Company Information