OptiNose, Inc. 10-K Cybersecurity GRC - 2024-03-07

Page last updated on April 11, 2024

OptiNose, Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-03-07 07:01:38 EST.

Filings

10-K filed on 2024-03-07

OptiNose, Inc. filed an 10-K at 2024-03-07 07:01:38 EST
Accession Number: 0001494650-24-000018

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. Cybersecurity Disclosure We are increasingly dependent on sophisticated software applications and computing infrastructure to conduct key operations. We depend on both our own systems, networks, and technology as well as the systems, networks and technology of our contractors, consultants, vendors and other business partners. Cybersecurity Program Given the importance of cybersecurity to our business, we maintain a robust cybersecurity program to support both the effectiveness of our systems and our preparedness for information security risks. This program includes a number of safeguards, such as: complex password protection; multi-factor authentication with geo-location and multi-step confirmation; continuous monitoring and alerting systems for internal and external threats; regular evaluations of our cybersecurity program, including periodic internal and external audits, penetration tests, and incident response planning; and industry benchmarking. We also require cybersecurity training when onboarding new employees and contractors assigned access to Optinose networks, as well as annual, required cybersecurity awareness training for our employees and contractors assigned access to Optinose networks. Our program leverages industry frameworks, including the National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF) to strengthen our program effectiveness and reduce cybersecurity risks. We use a risk-based approach with respect to our use and oversight of third-party IT service providers, tailoring processes according to the nature and sensitivity of the data accessed, processed, or stored by such third-party IT service provider and performing additional risk screenings and procedures, as appropriate. We use a number of means to assess cyber risks related to our third-party IT service providers, including conducting due diligence in connection with onboarding new IT service providers and, where appropriate, annual due diligence of such third-party IT service providers. We also collect and assess cybersecurity audit reports and other supporting documentation when available and include appropriate security terms in our IT contracts where applicable as part of our oversight of third-party IT service providers. Because most of our critical IT systems are cloud-based and hosted by third-party IT service provides, we are dependent on the security controls of such vendors. Process for Assessing, Identifying and Managing Material Risks from Cybersecurity Threats In the event of a cybersecurity incident, we maintain a regularly reviewed incident response program. Pursuant to the program and its escalation protocols, designated personnel are responsible for assessing the severity of an incident and associated threat, determining any public disclosure obligations with respect to the incident, containing the threat, remediating the threat, including recovery of data and access to systems, analyzing any reporting obligations associated with the incident, and performing post-incident analysis and program enhancements. We maintain an Incident Response standard operating procedure ( IRP SOP ) and business continuity and disaster recovery plans in the event of a significant cybersecurity incident. We have relationships with a number of third-party service providers to assist with cybersecurity containment and remediation efforts, including forensic investigation firms, insurance providers and various law firms. Governance Management Oversight The controls and processes employed to assess, identify and manage material risks from cybersecurity threats are implemented and overseen by our Vice President, Information Technology. Our Vice President, Information Technology leverages his over 30 years of experience as CIO/CTO/CISO in companies such as Therakos, Healthtronics IT Solutions, Endo Pharmaceuticals, Johnson and Johnson, and Animas. Our Vice President, Information Technology is responsible for the day-to-day management of the cybersecurity program, including the prevention, detection, investigation, response to, and recovery from cybersecurity threats and incidents, and is regularly engaged to help ensure the cybersecurity program functions effectively in the face of evolving cybersecurity threats. The Vice President, Information Technology is a member of our senior management team and provides regular briefings for our senior management team on cybersecurity matters, including threats, events, and program enhancements. 81 Table of c ontents Board Oversight Our Board of Directors has overall responsibility for risk oversight including oversight of cybersecurity risk matters. The Board is responsible for reviewing, discussing with management, and overseeing the Company s data privacy, information technology and security and cybersecurity risk exposures, including: (i) the potential impact of those exposures on the Company s business, financial results, operations and reputation; (ii) the programs and steps implemented by management to monitor and mitigate any exposures; (iii) the Company s information governance and cybersecurity policies and programs; and (iv) major legislative and regulatory developments that could materially impact the Company s data privacy and cybersecurity risk exposure. On no less than an annual basis, the Vice President , Information Technology reports to the Board on information technology and cybersecurity matters, including a detailed threat assessment relating to information technology risks, the potential impact of those exposures on the Company s business, financial results, operations and reputation, the programs and steps implemented by management to monitor and mitigate exposures, the Company s information governance and cybersecurity policies and programs, and significant legal/regulatory developments that could materially impact the Company s cybersecurity risk exposure. The Audit Committee of our Board is responsible for assisting the Board in performing its oversight of our cybersecurity program, its effectiveness and any breaches or other cybersecurity events. Further our Vice President, Information Technology is responsible for apprising the Audit Committee of the Board of cybersecurity incidents consistent with our IRP SOP, promptly for higher priority incidents and in the aggregate for lower priority incidents. Additionally, we maintain a standing agenda item at our quarterly Audit Committee meetings to report any cybersecurity incidents or risk matters. Cybersecurity Risks Our cybersecurity risk management processes are integrated into our overall Enterprise Risk Management ( ERM ) processes. As part of our ERM processes, department leaders identify, assess and evaluate risks impacting our operations across the Company, including those risks related to cybersecurity. Department leaders are asked to consider the severity and likelihood of certain risk factors, drawing upon their company knowledge and past business experience. While we maintain a robust cybersecurity program, the techniques used to infiltrate information technology systems continue to evolve. Accordingly, we may not be able to timely detect threats or anticipate and implement adequate security measures. For additional information, see Item 1A Risk Factors. We also maintain cybersecurity insurance providing coverage for certain costs related to cybersecurity-related incidents that impact our own systems, networks, and technology or the systems, networks and technology of our contractors, consultants, vendors and other business partners.

Company Information