IRADIMED CORP 10-K Cybersecurity GRC - 2024-03-01

Page last updated on April 11, 2024

IRADIMED CORP reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-03-01 08:30:34 EST.

Filings

10-K filed on 2024-03-01

IRADIMED CORP filed an 10-K at 2024-03-01 08:30:34 EST
Accession Number: 0001558370-24-002235

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBERSECURITY IRadimed employs a multilayer approach to addressing cybersecurity risk based on the National Institute of Standards and Technology (NIST) framework. It has established a cybersecurity team that utilizes internal and external assessments, automated monitoring tools, and input from public and private partners to identify potential cyber threats. External third-party security firms are engaged to assist with cybersecurity risk assessments, penetration testing and system security analysis. Our cybersecurity team works in conjunction with the management, legal, finance, accounting, operations, and information technology areas to assess the risk these identified cybersecurity threats present to the organization. To ensure consistency, these cybersecurity risk assessments are incorporated into IRadimed s enterprise risk management process, and our information technology leadership reviews the Company s enterprise risk management-level cybersecurity risks on a quarterly basis, and key cybersecurity risks are incorporated into the enterprise risk management framework. Cybersecurity risks are managed and controlled through multiple overlapping layers of cybersecurity defenses that include: the implementation of a comprehensive cybersecurity policy that encompasses but is not limited to, information governance, monitoring, authentication, encryption, vulnerability management, third-party management, and recovery; 42 Table of Contents required annual cybersecurity training for all employees with additional supplemental cybersecurity training required based on role; random employee phish testing, training and follow-up; procedural and automated cyber controls in conjunction with robust detection, mitigation, and recovery capabilities; the integration of multiple threat intelligence sources into our cybersecurity tools and processes; the retention of external cybersecurity threat response resources; and the formation of a multidisciplinary cybersecurity incident response team. The IRadimed board of directors provides enterprise-level oversight of risks associated with cybersecurity threats through the Audit Committee, which serves and functions as the Board s primary oversight body to monitor the Company s cybersecurity and related information technology risk and assists the Company s board of directors in fulfilling its oversight responsibilities regarding the Company policies and processes with respect to risk assessment and risk management, including any significant non-financial risk exposures; reviewing and discussing our information security policies and internal controls regarding information security; and reviewing the annual disclosures concerning the role of the Board in the risk oversight of the Company. The Audit Committee performs an annual review of the cybersecurity program and receives regular updates on key cybersecurity risks, the cybersecurity risk management plan, and cyber incident event trends. The Audit Committee oversees the Company s disclosure of any cybersecurity incident deemed material (and such materiality determination will be made by the Board upon recommendation of the Audit Committee) as required by the SEC or any other governmental authority, as applicable. In addition to managing our own cybersecurity preparedness, we also consider and evaluate cybersecurity risks associated with the use of third-party service providers. Risk assessments are performed against third-party service providers with a specific focus on any sensitive data that is to be shared with them. The internal business owners of vertical applications are required to document user access reviews regularly. We request a System and Organizational Controls ( SOC ) 2 report from the vendors of our enterprise cloud applications. If they do not provide us with a SOC 2, we seek additional compensating risk assurance in our contract language with them. Risks associated with the use of third-party service providers are managed as part of our overall cybersecurity risk management framework. To continually manage and control the material risks that cybersecurity threats present to the organization, IRadimed invests significantly in the cybersecurity elements outlined above. In addition, the Company has made investments to fulfill the operational and financial regulatory requirements laid out by the Sarbanes-Oxley Act of 2002. IRadimed faces a number of cybersecurity risks in connection with its business. Although such risks have not materially affected us, including our business strategy, results of operations, or financial conditions, to date, we have, from time to time, experienced threats to and breaches of our data systems, including malware, phishing and computer virus attacks.

Company Information