ClearPoint Neuro, Inc. 10-K Cybersecurity GRC - 2024-03-12

Page last updated on April 11, 2024

ClearPoint Neuro, Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-03-12 17:17:04 EDT.

Filings

10-K filed on 2024-03-12

ClearPoint Neuro, Inc. filed an 10-K at 2024-03-12 17:17:04 EDT
Accession Number: 0001285550-24-000031

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBERSECURITY. Our Company places a high priority on cybersecurity, information security, and securing confidential business information and personal information that we receive and store related to our customers and employees. Our Company s Audit Committee oversees the cybersecurity risks faced by the Company. In connection therewith, a Cybersecurity Steering Committee, which consists of our Chief Financial Officer, Chief Operating Officer, General Counsel, Vice President of Software Development, and Vice President of Regulatory Affairs, was formed to identify material risks and cybersecurity threats arising in our business. Our Audit Committee receives updates from the Cybersecurity Steering Committee at least annually, which cover topics related to information security, privacy, and cyber risks and risk management processes, including the status of significant cybersecurity incidences and projects designed to strengthen our information security posture. Our Audit Committee is also responsible for ensuring that the Board of Directors also receives periodic reports with respect to the status and management of our cybersecurity risks. The Cybersecurity Steering Committee, in collaboration with delegates from our business and functions, is responsible for implementing the Company s enterprise-wide cyber security and information security strategy, employee training and compliance, and managing policies and processes for the Company s information technology standards, product security, and privacy. As a member of the Cybersecurity Steering Committee, our Vice President of Software Development provides experience devising effective cybersecurity management practices in the areas of both software and product development, including risk evaluation, impact assessment, security threat modelling, cybersecurity mitigation strategies, residual risk acceptability and methodologies for security risk verification. He has led the integration of our medical device software into some of the largest hospital and research institutions in the world in compliance with the extensive cybersecurity requirements of these institutions. In addition to utilizing internal Company resources, the Cybersecurity Steering Committee also regularly consults with external advisors and specialists regarding opportunities and enhancements to strengthen its practices and policies. We also engage with third-party consultants to manage the infrastructure and security of our information technology landscape. Our cybersecurity program includes: Penetration testing of internal information technology systems and review of program maturity based on the National Institute of Standards and Technology (“NIST”) cybersecurity framework Phishing, social engineering, and cyber hygiene training Continuous security event monitoring, management, and incident response plans Continuous enhancements to security capabilities based on evolving threats 43 Table of Contents Information security policies and procedures Privacy controls and compliance with applicable legislative and regulatory requirements Assessment of applicable third-party vendors cybersecurity and information security practices and A cross-functional approach to addressing cybersecurity risk with participation from representatives across the business and functions. As part of our cybersecurity program, we have adopted an incident response plan, under which the Chairs of our Board of Directors and Audit Committee are informed by the Cybersecurity Steering Committee of any cybersecurity incidents that have the potential to materially adversely impact the Company or its information systems. To date, no attempted cyber-attack or other attempted intrusion on our information technology networks has resulted in a material adverse impact on our operations or financial results, or in any penalties or settlements.

Company Information