Neuronetics, Inc. 10-K Cybersecurity GRC - 2024-03-07

Page last updated on April 11, 2024

Neuronetics, Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-03-07 21:44:57 EST.

Filings

10-K filed on 2024-03-07

Neuronetics, Inc. filed an 10-K at 2024-03-07 21:44:57 EST
Accession Number: 0001558370-24-002772

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity. Risk Management and Strategy We regularly assess risks from cybersecurity threats; monitor our information systems for potential vulnerabilities; and test those systems pursuant to our cybersecurity policies, processes, and practices, which are integrated into our overall risk management program. To protect our information systems from cybersecurity threats, we use various industry standard security tools that are designed to help identify, escalate, investigate, resolve, and recover from security incidents in a timely manner. Given the prevalence of social engineering attacks, we have implemented a two-pronged approach of training and security mitigations: educating users about how to detect a potential attack (phishing, malware, etc.) and security tools, which can decrease the likelihood of occurrence through multi-factor authentication, endpoint detection and response and other tools focused on locking down cyber threats. A team of industry experts comprised of representatives from our Information Technology department and support functions, along with outside experts assesses risks based on probability and potential impact to key business systems and processes. Risks that are considered high are incorporated into our overall risk management program. A mitigation plan is developed for each identified high risk, with progress reported to the Executive Leadership Team and Audit Committee and tracked as part of our overall risk management program overseen by the Audit Committee of our board of directors. These mitigations target implementing automated tools for detection and prevention wherever possible, supplemented by training and process controls as needed. Recurring maintenance, reporting and awareness tasks are conducted and documented within our Service Management Software and Security tools for record keeping and trending. We collaborate with third parties to assess the effectiveness of our cybersecurity prevention and response systems and processes through various penetration testing and best practice reviews. These include cybersecurity assessors, consultants, and other external cybersecurity experts to assist in the identification, verification, and validation of cybersecurity risks, as well as to support associated mitigation plans when necessary. We are aware that cybersecurity is a continually changing landscape and as a result, the engagement with these experts helps us evaluate our risk-based processes with respect to the trends. Cybersecurity threats, including those resulting from any previous cybersecurity incidents, have not materially affected our Company, including our business strategy, results of operations, or financial condition. We do not believe that cybersecurity threats resulting from any previous cybersecurity incidents of which we are aware are reasonably likely to materially affect our Company. Refer to the risk factor captioned Security and privacy breaches may expose us to liability and harm our reputation and business in Part I, Item 1A. Risk Factors for additional description of cybersecurity risks and potential related impacts on our Company. Governance Our board of directors oversees our risk management process, including as it pertains to cybersecurity risks, directly and through its committees. The Audit Committee of the board oversees our risk management program, which focuses on the most significant risks we face in the short-, intermediate-, and long-term timeframe. Audit Committee meetings include discussions of emerging industry-wide trends in cybersecurity risks along with specific risk areas our company has greater risks throughout the year, including, among 64 Table of Contents others, those relating to cybersecurity threats. These reports come from the Head of IT to include our enterprise risk profile on a quarterly basis. The Audit Committee reviews our cybersecurity risk profile with management on a periodic basis using key performance and/or risk indicators. These key performance indicators are industry-standard metrics and measurements designed to assess the effectiveness of our cybersecurity program in the prevention, detection, mitigation, and remediation of cybersecurity incidents. We take a risk-based approach to cybersecurity and have implemented cybersecurity policies throughout our operations that are designed to address cybersecurity threats and incidents. The Company s Head of IT is responsible for the establishment and maintenance of our cybersecurity program, as well as the assessment and management of cybersecurity risks. The current Head of IT has over 20 years of experience in information security and possesses the requisite education, skills and experience expected of an individual assigned to these duties. In addition to individual skills, the Head of IT has partnered with several third-party Cybersecurity experts to identify new areas of risk and the latest trends in security tools and methods.

Company Information