CorMedix Inc. 10-K Cybersecurity GRC - 2024-03-12

Page last updated on April 11, 2024

CorMedix Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-03-12 08:15:51 EDT.

Filings

10-K filed on 2024-03-12

CorMedix Inc. filed an 10-K at 2024-03-12 08:15:51 EDT
Accession Number: 0001213900-24-021585

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C, Cybersecurity , in this Annual Report on Form 10-K for more information regarding our cybersecurity risk management, strategy, and governance. Each of U.S. state has adopted legislation requiring notification of a breach in the security of certain personal information. Such breaches trigger requirements for notification not only to affected individuals, but also state authorities and sometimes the media. In addition, they often prompt class action litigation and can have serious reputational consequences. For breaches involving personal data subject to the EU or UK GDPR, there can be substantial fines. Guarding against such breaches requires us to put in place and consistently monitor the effectiveness of data security controls, including technical mechanisms, physical safeguards, and administrative standards. It will increase our responsibility and potential liability in relation to personal data that we process, and we will be required to put in place additional mechanisms ensuring compliance with the new European Union data protection rules. There is significant uncertainty related to the manner in which data protection authorities will seek to enforce compliance with GDPR. For example, it is not clear if the authorities will conduct random audits of companies doing business in the European Union, or if the authorities will wait for complaints to be filed by individuals who claim their rights have been violated. Enforcement uncertainty and the costs associated with ensuring GDPR compliance may be onerous and adversely affect our business, operating results, prospects and financial condition. Any access, disclosure or other loss of information, including our data being breached at our partners or third-party providers, could result in legal claims or proceedings and liability under laws that protect the privacy of personal information, disrupt our operations and damage our reputation, which could adversely affect our business. We do not currently pay dividends on our common stock so any returns on our common stock may be limited to the value of our common stock. We have never declared dividends on our common stock, and currently do not plan to declare dividends on shares of our common stock in the foreseeable future. We currently expect to retain future earnings, if any, for use in the operation and expansion of our business. The payment of cash dividends in the future, if any, will be at the discretion of our Board of Directors and will depend upon such factors as earnings levels, capital requirements, our overall financial condition and any other factors deemed relevant by our Board of Directors. Any return to holders of our common stock will be limited to the value of their common stock. 33 We are a smaller reporting company and we cannot be certain if the reduced reporting requirements applicable to such companies could make our common stock less attractive to investors. We are a smaller reporting company , as defined in the Exchange Act. For as long as we continue to be a smaller reporting company, we may take advantage of exemptions from various reporting requirements, including exemption from compliance with the auditor attestation requirements of Section 404 of the Sarbanes-Oxley Act of 2002 (Sarbanes-Oxley Act), only being required to provide two years of audited financial statements in annual reports and reduced disclosure obligations regarding executive compensation in periodic reports and proxy statements. We cannot predict if investors will find our common stock less attractive because we may rely on these exemptions. If some investors find our common stock less attractive as a result, there may be a less active trading market for our common stock and our stock price may be more volatile. Item 1B. Unresolved Staff Comments None. Item 1C. Cybersecurity Management and Strategy The Company has processes in place for assessing, identifying, preventing, and managing material risks from cybersecurity threats, including related to the use of third party service providers. In addition, the Company leverages the security and monitoring tools of third party service providers. These processes are integrated into the Company s overall risk management program and systems, as overseen by the Board, primarily through the Audit Committee. We maintain physical, technical and administrative safeguards to prevent and identify cybersecurity risks, and have implemented practices and procedures to address cybersecurity risks. To this end, among other things, we: provide annual mandatory training for our employees regarding cybersecurity threats as a means to equip them with effective tools to address cybersecurity threats, and to communicate our evolving information security policies, standards, processes and practices conduct regular simulation modules for all employees to enhance awareness and responsiveness to possible threats conduct cybersecurity management and incident training for employees involved in our systems and processes that handle sensitive data and carry cyber liability insurance that is intended to provide protection against the potential losses arising from a cybersecurity incident. We are currently working with outside counsel to further develop a formal cybersecurity incident response plan. While we are regularly exposed to malicious technology-related events and threats, none of these threats or incidents, either individually or in the aggregate of related occurrences, have materially affected the Company in the period covered by this Annual Report on Form 10-K. In determining materiality, cybersecurity incidents are reviewed not only for potential financial impacts, which could include potential legal and regulatory penalties, stolen assets or funds, system damage, forensic and remediation costs, lost revenue or litigation costs, but also the breadth and sensitivity of data exposure, data exfiltration, impacts on the ability to operate our business or provide our services and loss of investor confidence. Governance The Board executes its oversight responsibility for risk management both directly and through delegating oversight of certain of these risks to its committees, and the Board has authorized the Audit Committee to oversee risks related to cybersecurity threats. Our Audit Committee has primary oversight responsibility for cybersecurity and information security risk management and controls. As part of its oversight function, the Audit Committee oversees the Company s risk assessment and risk management policies, including related to cybersecurity and the overall data protection program. 34 Our senior management is responsible for assessing and managing the Company s various exposures to risk, including those related to cybersecurity, on a day-to-day basis, including the identification of risks through an enterprise risk management framework and the creation of appropriate risk management programs and policies to address such risks. The Company s Senior Manager, IT, has 24 years of experience in enterprise IT and has primary responsibility for managing our cybersecurity program and efforts, and our finance and IT teams are responsible for the testing and audit of our information-technology related internal controls. See Item 1A, Risk Factors , for additional information on the Company s cybersecurity risk profile, in particular the risk factors under the headings entitled Risks relating to data privacy could create additional liabilities for us and Security breaches and other disruptions could compromise our information and expose us to liability, which would cause our business and reputation to suffer .
Item 1C. Cybersecurity Management and Strategy The Company has processes in place for assessing, identifying, preventing, and managing material risks from cybersecurity threats, including related to the use of third party service providers. In addition, the Company leverages the security and monitoring tools of third party service providers. These processes are integrated into the Company s overall risk management program and systems, as overseen by the Board, primarily through the Audit Committee. We maintain physical, technical and administrative safeguards to prevent and identify cybersecurity risks, and have implemented practices and procedures to address cybersecurity risks. To this end, among other things, we: provide annual mandatory training for our employees regarding cybersecurity threats as a means to equip them with effective tools to address cybersecurity threats, and to communicate our evolving information security policies, standards, processes and practices conduct regular simulation modules for all employees to enhance awareness and responsiveness to possible threats conduct cybersecurity management and incident training for employees involved in our systems and processes that handle sensitive data and carry cyber liability insurance that is intended to provide protection against the potential losses arising from a cybersecurity incident. We are currently working with outside counsel to further develop a formal cybersecurity incident response plan. While we are regularly exposed to malicious technology-related events and threats, none of these threats or incidents, either individually or in the aggregate of related occurrences, have materially affected the Company in the period covered by this Annual Report on Form 10-K. In determining materiality, cybersecurity incidents are reviewed not only for potential financial impacts, which could include potential legal and regulatory penalties, stolen assets or funds, system damage, forensic and remediation costs, lost revenue or litigation costs, but also the breadth and sensitivity of data exposure, data exfiltration, impacts on the ability to operate our business or provide our services and loss of investor confidence. Governance The Board executes its oversight responsibility for risk management both directly and through delegating oversight of certain of these risks to its committees, and the Board has authorized the Audit Committee to oversee risks related to cybersecurity threats. Our Audit Committee has primary oversight responsibility for cybersecurity and information security risk management and controls. As part of its oversight function, the Audit Committee oversees the Company s risk assessment and risk management policies, including related to cybersecurity and the overall data protection program. 34 Our senior management is responsible for assessing and managing the Company s various exposures to risk, including those related to cybersecurity, on a day-to-day basis, including the identification of risks through an enterprise risk management framework and the creation of appropriate risk management programs and policies to address such risks. The Company s Senior Manager, IT, has 24 years of experience in enterprise IT and has primary responsibility for managing our cybersecurity program and efforts, and our finance and IT teams are responsible for the testing and audit of our information-technology related internal controls. See Item 1A, Risk Factors , for additional information on the Company s cybersecurity risk profile, in particular the risk factors under the headings entitled Risks relating to data privacy could create additional liabilities for us and Security breaches and other disruptions could compromise our information and expose us to liability, which would cause our business and reputation to suffer .

Company Information