NovaBay Pharmaceuticals, Inc. 10-K Cybersecurity GRC - 2024-03-26

Page last updated on April 11, 2024

NovaBay Pharmaceuticals, Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-03-26 16:14:46 EDT.

Filings

10-K filed on 2024-03-26

NovaBay Pharmaceuticals, Inc. filed an 10-K at 2024-03-26 16:14:46 EDT
Accession Number: 0001437749-24-009417

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBERSECURITY Risk Management and Strategy Many aspects of our business are dependent upon our computer systems, devices, and networks to collect, process, and store data necessary to conduct many aspects of our business, including the analysis of our products, the maintenance of our intellectual property, the recording and reporting of commercial and financial information, and payroll. We rely on standard operating systems and software from established and reliable third parties to provide security including Microsoft 365, Salesforce, and ADP. The Company does not have in-house information technology personnel. Management makes concerted efforts to select third-party software providers with a demonstrated track-record of effectively addressing cyber-security concerns. In event of a cyber-security incident, we would rely upon these providers. In light of the Company’s current size and relatively low cyber-risk profile, management believes that reliance upon experienced third-party providers is the most prudent and cost-effective course. Governance Our cybersecurity risk assessment and management processes are implemented and maintained by certain Company employees, including our Chief Executive Officer, General Counsel and Chief Compliance Officer. Our Board of Directors addresses the Company s cybersecurity risk management as part of its general risk oversight function. The Board of Directors has access to various reports, summaries or presentations related to cybersecurity threats, risk, and mitigation. In its oversight role, the Board of Directors is expected to specifically consider risks that relate to the reputation of the Company and the general industry in which we operate, including with respect to privacy, information technology and cybersecurity and threats to technology infrastructure. Our cybersecurity risk management processes are integrated into our overall approach to risk management. Given the nature and size of our Company, we do not have a dedicated enterprise risk function, but our management regularly considers and evaluates risks to our Company. As part of that risk management process, management identifies, assesses and evaluates risks impacting our operations across the Company, including those risks related to cybersecurity, and raises them for discussion with our employees, and where it is determined to be appropriate, issues are also raised to the Board of Directors for consideration. To promote organization-wide attention to cybersecurity issues, we conduct mandatory employee training on cybersecurity and provide ongoing cybersecurity education and awareness, monitoring phishing attacks, and cybersecurity awareness materials. Cybersecurity Risks As of the date of this report, we are not aware of any risks from cybersecurity threats, including as a result of any previous cybersecurity incidents, that have materially affected our business strategy, results of operations or financial condition or are reasonably likely to have such a material effect. However, the sophistication of and risks from cybersecurity threats and incidents continues to increase, and the preventative actions that we have taken and continue to take to reduce the risk of cybersecurity threats and incidents and protect our systems and information may not successfully protect against all cybersecurity threats and incidents. For additional information regarding risks relating to information security, see Item 1A Risk Factors.

Company Information