Protalix BioTherapeutics, Inc. 10-K Cybersecurity GRC - 2024-03-14

Page last updated on April 11, 2024

Protalix BioTherapeutics, Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-03-14 07:03:11 EDT.

Filings

10-K filed on 2024-03-14

Protalix BioTherapeutics, Inc. filed an 10-K at 2024-03-14 07:03:11 EDT
Accession Number: 0001558370-24-003161

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity Risk Management and Strategy Our operations include the creation, collection and maintenance of sensitive information, including proprietary and confidential business information, intellectual property, third-party information and employee information. To protect this 59 Table of Contents information, we use managed detection and response services to monitor our network infrastructure and associated endpoints for possible cybersecurity threats on a constant basis. In addition, we use multi-factor authentication (MFA) for external use, perform penetration testing and engage third parties to assess the effectiveness of our cybersecurity practices. We conduct a thorough risk assessment by identifying critical assets, recognizing potential threats and vulnerabilities, and implement strategies to mitigate these risks and their possible impacts. We establish incident response plans and provide cybersecurity training to our employees and monitor their activity to ensure adherence to our security protocols. A material cyber-attack on our systems, or any other third-party partners or vendors and their key operating systems, may interrupt our ability to operate our business, damage our reputation, or result in monetary damages. We have implemented a Data Protection Policy, or the DPP, in order to establish the high-level direction for properly managing the use, privacy, security, retention, and disposal of our information, data and assets, and to manage identified material cybersecurity risks. The DPP was prepared using relevant guidance issued and technology standards that are used across various industries. It applies to all entities who are using our equipment and resources, including but not limited to, employees and temporary workers. Our Senior Director, Information Technology, is primarily responsible for implementing and overseeing the DPP and identifying, measuring, monitoring, and reporting on key enterprise-wide risks, including cybersecurity risks. He is expected to become a certified Information Security Officer in March 2024. Our DPP includes an incident response process that includes reporting thresholds and follows standardized identification and authentication practices. If an incident is identified, it is documented by our Senior Director, Information Technology, who is required to report the incident to management. We work with third-party service providers from time to time that assist us to identify, assess and manage cybersecurity risks, including professional SEIM SOC and other services firms, threat intelligence service providers, cybersecurity consultants, cybersecurity software providers, managed cybersecurity service providers, and penetration testing. No risks from cybersecurity threats have occurred that have affected our business, results of operations or financial condition. Governance Our cybersecurity risk assessment and management processes are implemented and maintained by certain members of our management, including our Senior Director, Information Technology, who reports to our Sr. Vice President, Operations. Management is also responsible for hiring appropriate personnel, integrating cybersecurity considerations into our overall risk management strategy, and for communicating key priorities to employees, as well as for approving budgets, helping prepare for cybersecurity incidents, approving cybersecurity processes, and reviewing security assessments and other security-related reports. Our incident response process involves management, who participates in our disclosure controls and procedures. Our incident response process is designed to escalate certain cybersecurity incidents and vulnerabilities to members of management depending on the circumstances, including work with our incident response team to help the company mitigate and remediate cybersecurity incidents of which they are notified. In addition, the company s incident response processes include reporting to our Board of Directors for certain cybersecurity incidents. Management is involved with our efforts to prevent, detect, and mitigate cybersecurity incidents by overseeing preparation of cybersecurity policies and procedures, testing incident response plans and engaging vendors to conduct penetration tests. Management participates in cybersecurity incident response efforts by being a member of the incident response team and helping direct our response to cybersecurity incidents. Our Board of Directors addresses our cybersecurity risk management as part of its general oversight function. Our Chief Financial Officer and IT consultant provide periodic briefings to the Board of Directors regarding our cybersecurity risks and activities, including any recent cybersecurity incidents and related responses, if any, cybersecurity systems testing, activities of third parties, and the like. See Risk Factors Our internal computer systems, or those used by our third-party contractors or consultants, may fail or suffer security breaches, resulting in liability and harm to our reputation, which could negatively affect our business, results of operation and financial condition. We may face liability if we breach our obligations related to the protection, 60 Table of Contents security, nondisclosure of confidential information or disclosure of sensitive data or fail or are perceived to fail to comply with applicable data protection laws and regulations, or consumer protection laws, regulations and standards.

Company Information