VOLITIONRX LTD 10-K Cybersecurity GRC - 2024-03-25

Page last updated on April 11, 2024

VOLITIONRX LTD reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-03-25 16:19:27 EDT.

Filings

10-K filed on 2024-03-25

VOLITIONRX LTD filed an 10-K at 2024-03-25 16:19:27 EDT
Accession Number: 0001477932-24-001453

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBERSECURITY We maintain an information security and cybersecurity program, as well as a cybersecurity governance framework, which are designed to protect our information systems against operational risks related to cybersecurity. Cybersecurity Risk Management and Strategy We recognize the importance of assessing, identifying, and managing material risks associated with cybersecurity threats which include, among other things, operational risks, intellectual property theft, fraud or extortion, harm to employees or customers, violation of privacy or security laws and related litigation and legal risk, and reputational risks. We have developed and implemented a cybersecurity risk management program intended to protect the confidentiality, integrity, and availability of our critical systems and information, and detect and contain any cybersecurity incidents that impact us. The program is integrated into our overall risk management systems and processes, and includes a cybersecurity risk assessment process that routinely evaluates potential impacts of cybersecurity risks on our business, including our operations, financial stability, and reputation. These assessments inform our cybersecurity risk mitigation strategies. The results are regularly shared with management and the Audit Committee of our board of directors as part of the committee s involvement in managing and overseeing cybersecurity risks. Our cybersecurity risk management program also includes processes to triage, assess the severity of, escalate, contain, investigate, and remediate an incident, as well as to comply with potentially applicable legal obligations and mitigate brand and reputational damage. If a cybersecurity incident is determined to be a potentially material cybersecurity incident, our disclosure controls and procedures define the steps to determine materiality and disclose such a material cybersecurity incident. While we do not believe that our business strategy, results of operations or financial condition have been materially adversely affected by any cybersecurity incidents, cybersecurity threats are pervasive and, similar to other global financial institutions, we, as well as our employees, customers, regulators, service providers, and other third parties have experienced a significant increase in information security and cybersecurity risk in recent years and will likely continue to be the target of cyber attacks. We continue to assess the risks and changes in the cyber environment, invest in enhancements to our cybersecurity capabilities, and engage in industry and government forums to promote advancements in our cybersecurity capabilities, as well as the broader financial services cybersecurity ecosystem. For more information on risks to us from cybersecurity threats, see the section entitled Risk Factors Failure in our information technology, storage systems or our clinical laboratory equipment could significantly disrupt our operations and our research and development efforts included within this Report. Cybersecurity Governance Our board of directors is actively involved in overseeing risks from cybersecurity threats. At least once a year, the board of directors discusses our programs and policies related to cybersecurity and risk initiatives and considers them closely both from a risk management perspective and as part of our business strategy. Additionally, our board has delegated to our Audit Committee the authority to oversee and review the adequacy of our cybersecurity, information and technology security, and data privacy programs, procedures, and policies. Our Audit Committee is comprised entirely of independent directors who regularly evaluate cybersecurity risks. The Audit Committee regularly receives updates from management with respect to the Company s efforts to manage data protection, cybersecurity, and information and technology risks, and assesses the results of reviews from internal audits. Materials presented to our Audit Committee include updates on our data security posture, results from internal audit and third-party assessments, our incident response plan, and certain cybersecurity threat risks or incidents and developments, as well as the steps management has taken to respond to such risks. The committee also regularly engages with our Group IT Manager on technology risk-related topics. Our processes also allow for our board of directors and the Audit Committee to be informed of key cybersecurity risks outside the regular reporting schedule. While the Audit Committee conducts meetings regularly, the committee is authorized to meet with management or individual directors at any time it deems appropriate to discuss matters relevant to the committee. The Company s policy is for the board and the Audit Committee to receive prompt and timely information regarding any cybersecurity risk (including any incident) that meets reporting thresholds, as well as ongoing updates regarding any such risk, in accordance with our data breach reporting procedure and GDPR. 25 Table of Contents

Company Information