Hyperfine, Inc. 10-K Cybersecurity GRC - 2024-03-22

Page last updated on April 11, 2024

Hyperfine, Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-03-22 16:06:28 EDT.

Filings

10-K filed on 2024-03-22

Hyperfine, Inc. filed an 10-K at 2024-03-22 16:06:28 EDT
Accession Number: 0000950170-24-035343

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. CYBERSECURITY Our current digital age has seen a remarkable growth in information technologies that allows for greater connectivity capabilities and faster sharing of data and information than ever before. These rapid advances in technology have been of great benefit to organizations like our own, which seek to deliver cutting-edge and life-enhancing solutions for our customers. In our pursuit of these objectives, we acknowledge and take seriously our responsibility to maintain the highest level of confidentiality, integrity, and availability of data belonging to our customers, prospects, external partners, and internal workforce members, and to protect our critical information technology systems and infrastructure against current and ever evolving cybersecurity threats and attacks. It is our organization s aim to comply with all cybersecurity and data privacy laws and regulations in applicable jurisdictions. Additionally, we are committed to meeting national and international standards and best practices for our industry for effective cybersecurity risk management of the organization s confidential information and critical IT infrastructure. Our cybersecurity and data protection policies, standards, processes and practices are based on recognized frameworks established by the National Institute of Standards and Technology, or NIST , and other applicable industry standards and frameworks such as HITRUST and SOC 2. In general, we seek to address cybersecurity risks through a comprehensive, cross-functional approach that is focused on preserving the confidentiality, integrity, and availability of the data that we collect and store, and information systems and technologies through which that data is processed, by identifying, preventing and mitigating cybersecurity threats, and effectively responding to cybersecurity incidents when they occur. Our organization s internal administrative, technical, and physical security measures (controls) are tested for compliance to these frameworks and reviewed annually. The domains and controls associated with these frameworks are tested and reviewed annually. Certifications of compliance, and/or Auditor s Letters of Opinion Attestation of Compliance from the applicable auditors are provided once the audits are completed each year. The status of our cybersecurity program is regularly reported to our organization s board of directors. Our board of directors is actively involved in oversight of our cybersecurity risk management activities, and cybersecurity represents an important element of our organization s overall approach to risk management in the pursuit of its business goals and objectives. 67 Cybersecurity Risk Management and Strategy Effect of Risk We face risks related to cybersecurity such as unauthorized access, cybersecurity attacks and other security incidents, including as perpetrated by hackers and unintentional damage or disruption to hardware and software systems, loss of data, and misappropriation of confidential information. To identify and assess material risks from cybersecurity threats, we maintain a comprehensive cybersecurity program to ensure our data and information systems are effectively secured and prepared for information security risks by internal and external threat actors. Our program involves regular monitoring of our internal IT assets, data inventories, and potential security exploits and/or threats to those assets confidentiality, integrity, and availability. We employ a range of technical security tools and external security services, including regular network and endpoint monitoring, compliance audits, vulnerability assessments, penetration testing, threat modeling and tabletop exercises to inform our risk posture, remediation plans and cybersecurity investments. We consider risks from cybersecurity threats alongside other company risks as part of our overall risk assessment process. As discussed in more detail under Cybersecurity Governance below, our board of directors and our audit committee provide oversight of our cybersecurity risk management and strategy processes, which are led by our Chief Compliance Officer, Chief Administrative Officer, Chief Operating Officer, Security Officer, Data Protection Officer, Senior Director of Cybersecurity and IT, and Governance Risk and Compliance Manager. We also identify our cybersecurity threat risks by comparing our processes to standards established by the HITRUST and SOC2 frameworks and any findings resulting from penetration testing and threat modeling conducted by third party service providers. To provide for the confidentiality, integrity, and availability of critical data and information systems, maintain regulatory compliance, manage our material risks from cybersecurity threats, and protect against and respond to cybersecurity incidents, we undertake the following internal security measures: maintain a cybersecurity program through formally-defined documented policies, standards, processes, and procedures to ensure internal security measures are implemented to protect against cybersecurity threats, to assess emerging cybersecurity and data privacy laws, and to implement changes to our processes that are designed to comply with laws applicable to our organization implement policies and procedures to identity organizational assets, data and critical IT systems, assess (and periodically re-assess) those assets, data, and systems for cybersecurity risks, and to develop management plans for identifying and remediating identified risks through our policies, practices and contracts (as applicable), require employees, as well as third parties that provide services on our behalf, to handle confidential data and systems in a legally compliant and acceptable manner employ technical security tools that are designed to protect our critical data and information systems from cybersecurity threats, including network firewalls and access controls, vulnerability scanners, intrusion prevention and detection systems, anti-malware/endpoint protection systems, and identity and access management systems which are evaluated for effectiveness and improved through vulnerability assessments and cybersecurity threat intelligence provide quarterly, mandatory training for our employees regarding cybersecurity threats to equip them with effective tools to address cybersecurity threats, and to communicate our evolving information security policies, standards, processes and practices implement administrative processes and procedures to define acceptable security parameters and baselines of IT assets and information systems, and utilize access controls to prevent unauthorized alterations to system parameters and to maintain oversight over configuration changes and modifications to those systems conduct third party security reviews of critical and high-risk third-party suppliers and vendors conduct quarterly phishing email simulations for all employees with access to our email systems to enhance awareness and responsiveness to possible threats conduct cybersecurity management and incident training for employees involved in our systems and processes that handle sensitive data run annual tabletop exercises to simulate a response to a cybersecurity incident and use the findings to improve our processes and technologies 68 implement a formal Incident Response Plan, based upon NIST, HITRUST, and SOC2 frameworks, to help us identify, protect, detect, respond and recover when there is an actual or potential cybersecurity incident, which Incident Response Plan includes processes to triage, assess severity for, escalate, contain, investigate and remediate the incident, as well as to comply with potentially applicable legal obligations and mitigate damage to our business and reputation and carry information security risk insurance to insure against potential losses arising from a cybersecurity incident. As part of the above processes, we regularly engage with consultants, auditors and other third parties, including annually having a third-party independent Risk Assessor review our cybersecurity program to help identify areas for continued focus, improvement, and compliance. Our processes also address cybersecurity threat risks associated with our use of third-party service providers, including our suppliers, manufacturers and other third parties who have access to patient and employee data or our IT systems. In addition, cybersecurity considerations affect the selection and oversight of our third-party service providers. We perform diligence on third parties that have access to our systems, data or facilities that house such systems or data, and we continually monitor cybersecurity threat risks identified through such diligence. Additionally, we generally require those third parties that could introduce significant cybersecurity risk to us to agree by contract to manage their cybersecurity risks in specified ways, and to agree to be subject to cybersecurity audits, which we conduct as appropriate. We describe whether and how risks from identified cybersecurity threats have materially affected or are reasonably likely to materially affect us, including our business strategy, results of operations, or financial condition, under the heading under Risk Factors titled Security breaches, loss of data and other disruptions could compromise sensitive information related to our business or prevent us from accessing critical information and expose us to liability, which could adversely affect our business and our reputation , which disclosures are incorporated by reference herein. In the last two fiscal years, we have not experienced any material cybersecurity incidents and any expenses we have incurred from cybersecurity incidents were immaterial. This includes penalties and settlements, of which there were none. As needed, we will contract a professional cybersecurity investigation firm to conduct a full forensic analysis of any suspected material incident. To date, we have concluded that there has not been any evidence of material concern involving malware, persistence mechanisms or other compromised exchange of on-premises accounts within the Company s environment. Cybersecurity Governance Management Cybersecurity is an important part of our risk management processes and an area of focus for our board of directors and management. In general, our board of directors oversees risk management activities designed and implemented by our management, and considers specific risks, including, for example, risks associated with our strategic plan, business operations, and capital structure. Our board of directors executes its oversight responsibility for risk management both directly and through delegating oversight of certain of these risks to its committees, and our board of directors has authorized our audit committee to oversee risks from cybersecurity threats. At least quarterly, our audit committee receives an update from management of our cybersecurity threat risk management and strategy processes covering topics such as data security posture, results from third-party assessments, progress towards pre-determined risk-mitigation-related goals, our incident response plan, and material cybersecurity threat risks or incidents and developments, as well as the steps management has taken to respond to such risks. Our audit committee generally receives materials that include a cybersecurity scorecard and other materials discussing current and emerging material cybersecurity threat risks, and describing our ability to mitigate those risks, as well as recent developments, evolving standards, technological developments and information security considerations arising with respect to our peers and third parties, and discusses such matters with our Chief Compliance Officer, Chief Administrative Officer, Chief Operating Officer, Security Officer, Data Protection Officer, Senior Director of Cybersecurity and IT, and Governance Risk and Compliance Manager. Our audit committee also receives prompt and timely information regarding any material cybersecurity incident that meets reporting thresholds, as well as ongoing updates regarding any such incident until it has been addressed. Members of our audit committee are also encouraged to regularly engage in conversations with management on cybersecurity-related news events and discuss any updates to our cybersecurity risk management and strategy programs. Material cybersecurity threat risks are also considered during separate board meeting discussions of important matters like enterprise risk management, operational budgeting, business continuity planning, mergers and acquisitions, brand management, and other relevant matters. 69

Company Information