Data Storage Corp 10-K Cybersecurity GRC - 2024-03-28

Page last updated on April 11, 2024

Data Storage Corp reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-03-28 16:58:12 EDT.

Filings

10-K filed on 2024-03-28

Data Storage Corp filed an 10-K at 2024-03-28 16:58:12 EDT
Accession Number: 0001731122-24-000526

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBERSECURITY The Company maintains a cyber risk management program designed to identify, assess, manage, mitigate, and respond to cybersecurity threats. The Company s cyber risk management program’s underlying processes and controls incorporate recognized best practices and standards for cybersecurity and information technology. We conduct annual risk assessments to identify risks related to company assets and business processes, assess the risk s likelihood and potential consequences to the organization, and document any mitigating controls that are in place. Risks that are either highly likely to occur or whose impact on the organization is high are addressed through risk treatment, including risk acceptance, mitigation, transfer, or avoidance. The Company documents risk treatments and corresponding action items and tracks progress quarterly through an information security steering committee. The Company maintains a comprehensive set of policies, standards, processes, and other documentation per the ISO 27001:2013 standard s requirements, the most widely industry-accepted standard for managing organizational information and data security risks, for implementing an Information Security Management System (ISMS). Documentation addresses overall information security, access management, asset management, encryption, data retention and disposal, vulnerability management, and more. Together, these documents form the foundation of our ISMS and ensure organizational assets and processes for information security are managed, governed, and are operating effectively. The Company s management team oversees and administers its risk management program and informs senior management, the Cyber Security & Risk Committee of the Company s Board of Directors (the Board or the Board of Directors ), and other relevant stakeholders regarding the prevention, detection, mitigation, and remediation of cybersecurity incidents. The Cyber Security & Risk Committee of the Board of Directors consists of Matthew Grover and Uwayne A. Mitchell. The Company s ISMS Steering Committee also oversees risks from cybersecurity threats. The Company also contracts with a third-party consultant to ensure the ISMS and information security controls comply with applicable standards and requirements. The ISMS Steering Committee is specifically responsible for reviewing the adequacy of the Company s information security controls. The committee, including member(s) of management assigned with cybersecurity oversight responsibility and/or third-party consultants providing cyber risk services, reviews vulnerabilities identified through the risk management process, the effectiveness of the Company s cyber risk management program, and the emerging threat landscape and new cyber risks on a quarterly basis. This includes updates on the Company s processes to prevent, detect, and mitigate cybersecurity incidents. In addition, cybersecurity risks are reviewed by the Cyber Security and Risk Committee at least annually as part of the Company s corporate risk oversight processes. The Company also undergoes annual internal and external ISO 27001:2013 audits to proactively identify nonconformity issues within the ISMS and demonstrate ongoing compliance with the standard. As part of its review of the adequacy of our system of internal controls over financial reporting and disclosure controls and procedures, the Cyber Security & Risk Committee of the Board of Directors, comprised of independent directors, is specifically responsible for reviewing the adequacy of our computerized information system controls and security related thereof, the Company s cybersecurity threat landscape, risks and the Company s management and mitigation of cybersecurity risks and potential breach incidents. 27 The Company faces risks from cybersecurity threats that could adversely affect its business, financial condition, results of operations, cash flows, or reputation. The Company acknowledges that the risk of cyber incidents is prevalent in the current threat landscape and that a future cyber incident may occur in the normal course of its business. To date, the Company has not experienced a cybersecurity incident. The Company proactively seeks to detect and investigate unauthorized attempts and attacks against its IT assets, data, and services and to prevent their occurrence and recurrence where practicable through changes or updates to internal processes and tools and changes or updates to service delivery however, potential vulnerabilities to known or unknown threats will remain. Further, there is increasing regulation regarding responses to cybersecurity incidents, including reporting to regulators, investors, and additional stakeholders, which could subject us to additional liability and reputational harm. See Item 1A. Risk Factors for more information on cybersecurity risks.

Company Information