Predictive Oncology Inc. 10-K Cybersecurity GRC - 2024-03-28

Page last updated on April 11, 2024

Predictive Oncology Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-03-28 17:28:42 EDT.

Filings

10-K filed on 2024-03-28

Predictive Oncology Inc. filed an 10-K at 2024-03-28 17:28:42 EDT
Accession Number: 0001171843-24-001694

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBERSECURITY. Our Board of Directors (the Board ) recognizes the critical importance of maintaining the trust and confidence of our customers, clients, business partners and employees. The Board exercises oversight of our risk management program, and cybersecurity represents an important component of our overall approach to enterprise risk management ( ERM ). Our cybersecurity policies, standards, processes, and practices are integrated into our ERM program and are based on frameworks established by the National Institute of Standards and Technology ( NIST ) and other applicable industry standards. In general, we seek to address cybersecurity risks through a cross-functional approach that is focused on preserving the confidentiality, security, and availability of the information that we collect and store by identifying, preventing, and mitigating cybersecurity threats and effectively responding to cybersecurity incidents when they occur. Risk Management and Strategy As one of the critical elements of our overall ERM approach, our cybersecurity program is focused on the following key areas: Governance. As discussed in more detail under the heading Governance, the Board maintains an active role concerning cybersecurity risk management including oversight of the Company s employee personnel with extensive experience in the field. Technical Safeguards and Risk Management Processes. We have implemented a risk management framework to identify, evaluate, and address cybersecurity risks. This framework includes the deployment of tools to detect potential threats, the maintenance of detailed incident logs, and the development of risk mitigation strategies. Our cybersecurity measures and policies are subject to regular testing and continuous improvement to adapt to new threats as they arise. Education and Incident Reporting. We have instituted a company-wide security awareness training program to educate employees about cybersecurity risks and their role in maintaining our security posture. Continuous education and testing support our workforce in remaining knowledgeable and vigilant to cybersecurity threats. Employees are instructed to report all cybersecurity concerns directly to our internal information technology ( IT ) team for immediate assessment and response. Cybersecurity Incident Response Plan. We maintain a comprehensive incident response plan designed to mitigate the impact of a cybersecurity incident. This plan includes protocols for internal response, external communication, and remediation efforts to minimize the impact on our operations and stakeholders. Third-Party Risk Management. We maintain a risk-based approach to identifying and overseeing cybersecurity risks presented by third parties, including vendors, service providers and other external users of our systems, as well as the systems of third parties that could adversely impact our business in the event of a cybersecurity incident affecting those third-party systems. 31 We engage in the periodic assessment and testing of our policies, standards, processes, and practices that are designed to address cybersecurity threats and incidents. These efforts include a range of activities, including audits, assessments, vulnerability testing, and other exercises focused on evaluating the effectiveness of our cybersecurity measures and planning. We engage third parties to perform assessments on our cybersecurity measures, including information security maturity assessments, audits, and independent reviews of our information security control environment and operating effectiveness. The results of such assessments, audits, and reviews are reported to the Board, and we adjust our cybersecurity policies, standards, processes, and practices as necessary based on the information provided by these assessments, audits, and reviews. Governance The Board oversees the Company s ERM process, including the management of risks arising from cybersecurity threats. The Board receives reports on cybersecurity risks, which address a wide range of topics including recent developments, evolving standards, vulnerability assessments, third-party and independent reviews, the threat environment, technological trends, and information security considerations arising with respect to the Company s peers and third parties. The Board also receives prompt and timely information regarding any cybersecurity incident that meets established reporting thresholds, as well as ongoing updates regarding any such incident until it has been addressed. The Senior Director of IT and Cybersecurity, in coordination with our executive officers, work collaboratively across the Company to implement a program designed to protect the Company s information systems from cybersecurity threats and to promptly respond to any cybersecurity incidents in accordance with the Company s incident response plan. To facilitate the Company s cybersecurity risk management program, the Company s internal IT team is deployed to work with business functions across the Company to address cybersecurity threats and to respond to cybersecurity incidents. The Senior Director of IT and Cybersecurity, as leader of the internal IT team, monitors the prevention, detection, mitigation, and remediation of cybersecurity threats and incidents in real time, and reports such threats and incidents to the executive officers and Board when appropriate. The Senior Director of IT and Cybersecurity has served in various roles in information technology and information security for more than two decades with a track record of managing systems compliant with relevant security standards. The Senior Director of IT and Cybersecurity has industry experience and education aligned with the Company s work and the data we maintain. The Senior Director of IT and Cybersecurity s expertise is complemented by that of the Company s CEO and Interim CFO, each with degrees in their respective fields and extensive leadership experience including experience managing risks at similar companies. We face a number of cybersecurity risks in connection with our business. Such risks have not materially affected us, including our business strategy, results of operations or financial condition, to date. For more information about the cybersecurity risks we face, see the risk factor entitled Security breaches, loss of data, and other disruptions to our business or the business of our third-party service providers could compromise sensitive information related to our business or prevent us from accessing critical information and expose us to liability, which could adversely affect our business and reputation. in Item 1A. Risk Factors.

Company Information