STRATA Skin Sciences, Inc. 10-K Cybersecurity GRC - 2024-03-27

Page last updated on April 11, 2024

STRATA Skin Sciences, Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-03-27 20:06:31 EDT.

Filings

10-K filed on 2024-03-27

STRATA Skin Sciences, Inc. filed an 10-K at 2024-03-27 20:06:31 EDT
Accession Number: 0001140361-24-015754

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBERSECURITY Our Board of Directors administers its cybersecurity risk oversight function directly through our Audit Committee (the “Committee”). The Committee has primary responsibility for overseeing our risk management practices, programs, policies, and procedures related to data privacy, data protection, and cybersecurity. The Committee reviews and evaluates the processes utilized by management to identify and assess the material internal and external risks that may affect our business. The Committee regularly discusses with management, legal counsel, and the internal audit department our major risk exposures. This includes potential financial impact on us and the steps taken to monitor and control those risks. Reviews with management are done annually, which includes a summary of legal and regulatory compliance matters and risk management activities, and a review of our cybersecurity program. Additionally, the Committee oversees the process by which our Board of Directors is informed regarding the risks facing us and coordinates with our legal counsel to ensure our Board of Directors receives regular risk assessment updates from management. Our IT Manager has been designated as our Chief Information Security Officer (“CISO”), who is responsible for identifying, assessing and managing our risks from cybersecurity threats. The CISO has been with the Company for over five years and has many years of experience in technology. The CISO is supported by our outside IT consulting firm and its cybersecurity team that is staffed with personnel experienced in cyber security, security operations and incident management. The CISO reports to the CFO, who provides the Committee with bi-annual updates about our cybersecurity program and material risks. Risk Management and Strategy Processes for identifying and assessing cybersecurity risks The CISO, with the support of the outside consultant s cybersecurity team and the owners of information technology across the business, monitors current events and trends related to cybersecurity and assesses any potential impact on current systems and operations. There are several processes in place to monitor and review our systems, including third-party solutions, to identify potential risks. Third-party service providers are required to notify us in the event of a cybersecurity incident within their systems, and annual reviews are conducted on our critical third-party vendors. Cybersecurity risks, threats, and incidents, including those from third-party service providers, are tracked and regularly provided to the CISO. Processes for managing cybersecurity risks The cybersecurity team tracks risks and incidents related to cybersecurity until the risk is mitigated to an acceptable level or fully remediated. When risks are identified, the cybersecurity team oversees mitigation plans with the risk owner which are communicated to necessary teams and remediation steps are taken. Processes for incorporating cybersecurity risks into the overall risk management process Our process for identifying, assessing, and managing risks related to cybersecurity is incorporated into our IT processes. The Risk Management team meets at least annually with cybersecurity leadership to discuss cybersecurity related risks identified and the potential likelihood and severity of each risk. Through this process, cybersecurity risks are presented to the executive leadership team, including the CEO and CFO, as well as reported to the Committee. Currently, we are not aware of any risks from cybersecurity threats, or from previous cybersecurity incidents, that have materially affected or are reasonably likely to materially affect the Company. 36 Table of Contents

Company Information