Butterfly Network, Inc. 10-K Cybersecurity GRC - 2024-03-04

Page last updated on April 11, 2024

Butterfly Network, Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-03-04 07:00:44 EST.

Filings

10-K filed on 2024-03-04

Butterfly Network, Inc. filed an 10-K at 2024-03-04 07:00:44 EST
Accession Number: 0001558370-24-002308

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. CYBERSECURITY Butterfly Network, Inc. uses, stores and processes data for and about our customers, employees, partners and suppliers. We have implemented a cybersecurity risk management program that is designed to identify, assess, and mitigate risks from cybersecurity threats to this data and our systems. Risk Management Strategy and Governance Under the ultimate direction of our Chief Executive Officer, our Information Security Committee has primary responsibility for overseeing our management of cybersecurity risks. It is chaired by our Chief Information Security Officer, or CISO, who reports directly to our Chief Executive Officer. Other members of the committee include representation from information technology, quality, product, operations, sales, and compliance as well as advisory support from internal audit. Our CISO, working with his team and the Information Security Committee, has primary responsibility for assessing and managing our cybersecurity threat management program. The current CISO has more than 25 years of experience in building and leading information systems and security teams and has worked at a variety of institutions to implement and manage cybersecurity programs. These entities have included large, publicly-traded companies and smaller startups: The CISO s experience includes developing and maintaining tools and processes to protect internal networks, customer payment systems and cloud systems used by customers and the Company. The CISO also has a PhD in computer science and engineering and completed his thesis in information security. The Information Security Committee meets periodically and as circumstances warrant to discuss and monitor prevention, detection, and remediation of risks from cybersecurity threats. When appropriate, cyber or information security incidents would be escalated by the CISO to our executive leadership team and/or our disclosure committee. On a regular basis, the CISO also updates the executive management team on developments within the cybersecurity sphere. 45 Table of Contents The Board of Directors has delegated oversight of the Company s cybersecurity program to the Audit Committee of the Board of Directors. As provided in the Audit Committee Charter, the Audit Committee is responsible for reviewing reports on data management and security initiatives and significant existing and emerging cybersecurity risks, including cybersecurity incidents, the impact on the Company and its stakeholders of any significant cybersecurity incident and any disclosure obligations arising from any such incidents. Our CISO meets at least annually with the Audit Committee of the Board of Directors to discuss management s ongoing cybersecurity risk management programs. He provides information about the sources and nature of risks the Company faces, how management assesses such risks including in terms of likelihood and severity of impact, progress on vulnerability remediation and current developments in the cybersecurity landscape. In turn, the Chair of the Audit Committee provides a readout to the full Board of Directors that includes a summary of the CISO s presentation to enable discussion of cybersecurity risk management at the full board level. Although risks from cybersecurity threats have to date not materially affected, and we do not believe they are reasonably likely to materially affect, us, our business strategy, results of operations or financial condition, we could, from time to time, experience threats and security incidents relating to our and our third party vendors information systems. For more information, please see Part I, Item 1A Risk Factors . Processes for the Identification of Cybersecurity Threats Our Information Security team is responsible for monitoring our information systems for vulnerabilities and mitigating any issues. It works with other groups in the company to understand the severity and the likelihood of the potential consequences of a cybersecurity incident and to make decisions about how to prioritize mitigation and other initiatives based on, among other things, materiality to the business. The Information Security team has processes designed to keep the company apprised of the different threats in the cybersecurity landscape this includes intelligence networks alerts, working with researchers, discussions with peers at other companies, monitoring social media, reviewing government alerts and other news items and attending security conferences. The team also regularly monitors our internal network and out customer-facing network to identify security risks. In addition the team has completed several assessments and threat modeling tabletop exercises, based on what-if scenarios. We have an employee education program that is designed to raise awareness of cybersecurity threats to reduce our vulnerability as well as to encourage consideration of cybersecurity risks across functions. Security training is required upon hire for new employees, and on annual basis for the rest of the workforce. As part of the assessment of the protections we have in place to mitigate risks from cybersecurity threats, we engage third parties to conduct vendor risk assessments. To assess the effectiveness of our program, we also have engaged consultants to conduct penetration testing and other vulnerability assessment. Before purchasing third party technology or other solutions that involve exposure to the company s assets and electronic information, our Information Technology group requires those companies to complete a security review before being approved to work with the company. We utilize an external tool to manage critical vendors. Vendors are assessed to determine inherent and residual risk. Annually, the security team conducts a risk assessment that is informed by industry standards. The Risk Assessment consists of: Listing the vulnerabilities company assets are exposed to Identifying the threats that may exploit such vulnerabilities Calculating inherent risk rating based on impact and exploitability Calculating residual risk by assessing mitigating controls 46 Table of Contents

Company Information