DELCATH SYSTEMS, INC. 10-K Cybersecurity GRC - 2024-03-26

Page last updated on April 11, 2024

DELCATH SYSTEMS, INC. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-03-26 09:32:24 EDT.

Filings

10-K filed on 2024-03-26

DELCATH SYSTEMS, INC. filed an 10-K at 2024-03-26 09:32:24 EDT
Accession Number: 0001628280-24-013008

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity. We have implemented and maintain various information security processes designed to identify, assess and manage material risks from cybersecurity threats to our critical computer networks, third party hosted services, communications systems, hardware and software, and our critical data, including intellectual property, confidential information that is proprietary, strategic or competitive in nature, and clinical trial data results ( Information Systems and Data ). The Company s Senior Vice President of Finance ( SVPF ) and Director of Information Technology ( IT ) help identify, assess and manage cybersecurity risk, including input from employees, and devote resources to cybersecurity and risk management processes to adapt to the changing cybersecurity landscape and respond to emerging threats. The SVPF and Director of IT identify and assess risks from cybersecurity threats by monitoring and evaluating our threat environment and the Company s risk profile using various methods including, for example maintaining manual and automated tools, conducting scans of threats and actors, evaluating threats reported to us, completing internal and external audits, and completing third-party threat assessments. We have processes and standards to address cybersecurity matters and mitigate material cybersecurity risk. Depending on the environment, we implement and maintain various technical, physical, and organizational measures, processes, standards and policies designed to manage and mitigate material risks from cybersecurity threats to our Information Systems and Data, including , for example, encryption standards, access controls, disaster recovery/business continuity plans, incident detection and response, antivirus protection, remote access security, and multi factor authentication. All employees are required to complete cybersecurity trainings at least once a year. Our assessment and management of material risks from cybersecurity threats are integrated into the Company s overall risk management processes. For example, our Director of IT along with management evaluates material risks from cybersecurity threats against our overall business objectives and reports to the Board, which evaluates our overall enterprise risk. The SVPF and Director of IT, who has over thirty years of experience in information technology and has both a computer science and information science degree, a re responsible for developing and implementing our information security program and reporting on cybersecurity matters to the Board of Directors. We support our information security program with external resources including cybersecurity software providers and advisors as needed. We have a vendor management processes to manage cybersecurity risks associated with our use of these external providers that includes a risk assessment for each vendor, reviews of vendor audits and reports, and we also impose certain contractual information security obligations on vendors. Depending on the nature of the services provided, the sensitivity of the Information Systems and Data at issue, and the identity of the provider, our vendor management process may involve different levels of assessment designed to help identify cybersecurity risks associated with a provider and impose contractual obligations related to cybersecurity on the provider. Our assessment of risks associated with the use of third-party providers is part of our overall cybersecurity risk management framework. The Board, as part of its general oversight function, participate in discussions with senior management and amongst themselves regarding cybersecurity risks. With the assistance of the Company s most senior IT manager, we review annually the cyber and data security risks of our overall IT environment. We assess cybersecurity risk and the overall environment which includes devices, IT systems, websites, social media accounts, manufacturing technology/systems and suppliers/vendors. The oversight from the Board includes material changes to policies, procedures, employee training and elements of the overall environment, as necessary, senior management provides an update on emerging cyber threats. The Board has access, as requested, to various reports, summaries or presentations related to cybersecurity threats, risk and mitigation. Our cybersecurity incident response plan is designed to escalate certain cybersecurity incidents to members of senior management, depending on the circumstances. Senior management works with the Company s cybersecurity incident response team to help the Company mitigate and remediate cybersecurity incidents of which they are notified. In addition, the Company s cybersecurity incident response plan includes reporting to the Board for certain cybersecurity incidents. We face a number of cybersecurity risks in connection with our business. For more information about the cybersecurity risks we face, see the risk factor entitled We and the third parties that support us rely on the proper function, availability and security of information technology systems to operate our business and a cyber-attack or other breach of these systems could have a material adverse effect on our business, including by not limited to regulatory investigations or actions litigation fines and penalties disruptions of our business operations reputational harm loss of revenue or profits and other adverse consequences in Item 1A- Risk Factors. 45 Table of Contents

Company Information