Pulse Biosciences, Inc. 10-K Cybersecurity GRC - 2024-03-28

Page last updated on April 11, 2024

Pulse Biosciences, Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-03-28 16:05:51 EDT.

Filings

10-K filed on 2024-03-28

Pulse Biosciences, Inc. filed an 10-K at 2024-03-28 16:05:51 EDT
Accession Number: 0001437749-24-009815

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity Cybersecurity Risk Management and Strategy To combat ever-present cyber risks, the Company maintains a comprehensive cybersecurity program, which includes employee training, annual risk assessments and a comprehensive cybersecurity environment meant to detect, prevent, and limit unauthorized or harmful actions across our information technology environment. However, we operate in the medical device sector, which is subject to various cybersecurity risks that could adversely affect our business, financial condition, and results of operations, including intellectual property theft fraud extortion harm to patients, customers, and employees violation of privacy laws and other litigation and legal risk and reputational risk. We have implemented a risk-based approach to identify and assess the cybersecurity threats that could affect our business and information systems. We use recognized commercially reasonable measures, tools and methodologies to manage cybersecurity risk that are tested on a regular cadence. We also monitor and evaluate our cybersecurity posture on an ongoing basis through regular vulnerability scans, penetration tests and third-party reviews. Other key components of our cybersecurity program include, but are not limited to, asset management, encryption, data loss prevention technology, access controls, identity and access management (IAM), such as multi-factor authentication (MFA), vulnerability management, endpoint threat detection and response (EDR), logging and monitoring involving the use of security information and event management (SIEM), privileged access management (PAM), email and web gateway protection, multi-faceted backup and data recovery solutions, anti-malware, firewalls, IDS and IPS, auditing and monitoring, regular policy updates, security awareness training, anti-phishing campaigns, intrusion detection and prevention, vulnerability and patch management, and third-party risk management. We also subscribe to third-party threat intelligence tools and services that support monitoring, analyzing, and responding to emerging risks and threats. We require third-party service providers with access to personal, confidential, or proprietary information to implement and maintain comprehensive cybersecurity practices consistent with applicable legal standards, although currently we do not audit this. While we believe our cybersecurity practices are comparable to those of similarly situated companies, the Company does not currently audit its third-party service providers cybersecurity practices, except through annual SOC-1 reviews and its regulatory and quality control auditing of vendors engaged in clinical trials or the manufacture of products used in the assembly of our medical devices. We also rely on industry leading third party service providers to provide the systems required to effectively run our clinical trials and require that these third-party service providers implement and maintain standard cybersecurity practices. We have business continuity plans that we regularly review and update in line with our evolving applications architecture. We believe our cybersecurity practices comply with applicable legal requirements, including those established by the FDA. To date, we have not experienced any material security incidents or data breaches as a result of a compromise of our information systems and are not aware of any cybersecurity incidents that have had a material impact or are reasonably likely to materially affect our business strategy, operating results, or financial condition. 33 Table of Contents Cybersecurity Governance One of the key functions of our board of directors is informed oversight of our compliance program, including the processes used to mitigate risks associated with cybersecurity threats. Our Board is responsible for monitoring and assessing strategic risk exposure generally, and our executive officers are responsible for the day-to-day management of the material risks we face. Our Board administers its enterprise-level oversight of risks associated with cybersecurity threats directly as a whole, as well as through delegation of responsibility to our Audit Committee, which serves and functions as the Board s primary oversight body to monitor the Company s cybersecurity and related information technology risk. The Audit Committee receives periodic reports from management personnel responsible for enterprise risk management, which also evaluates cybersecurity among other enterprise level risks on an annual basis. It also assesses the experience of management personnel responsible for preventing, mitigating, detecting, and remediating any cyber incidents, including applicable third-party providers. The Audit Committee also oversees the Company s disclosure of any cybersecurity incident deemed material as required by the SEC or any other governmental authority, as applicable. At the operational level, the Company has established an information security team, including a Privacy and Security Council ( PSC ), consisting of representatives from IT, Legal, HR, and Finance, to help provide governance and strategic direction for managing cyber risks, maintaining IT regulatory compliance, and optimizing technology initiatives for alignment with our company goals and objectives. Pursuant to various policies adopted by the Company since 2021, including the Company’s Privacy Policy, the Company s senior most IT employee, our Information Security Coordinator (our ISC ), is a member of the PSC and has frontline responsibility for assessing, identifying and managing material risks from cybersecurity threats. The PSC convenes not less than annually, and meetings include updates on cybersecurity matters provided by the information security team. Our ISC has expertise in the following areas which assist in assessing and managing applicable cybersecurity risk: 27 years of IT experience including endpoint detection, security, incident management and response, vulnerability management and response, event management and response, and network security segmentation. The ISC provides regular reports on ongoing risk and mitigation practices, including information about cyber risk management governance and status updates on various projects intended to enhance the overall cybersecurity posture of the Company, to our Chief Executive Officer, Chief Technology Officer, and General Counsel, who then report to the Audit Committee and the Board. Our incident response plan designates our ISC as primarily responsible for identifying and evaluating any cybersecurity incident or suspected incident and reporting any such incidents to our General Counsel in order for management to evaluate materiality, and to report to our Audit Committee, our Board and make public disclosures, as applicable. Our General Counsel is responsible for routinely updating both the Board and the Audit Committee on the Company s cybersecurity personnel, practices and processes and, pursuant to our data breach response policy, which is updated from time to time, he must report to the Board in the event of any detected material incident and regularly update the Board on any mitigation and remediation steps being taken in connection with the Company s response. The Company has, from time to time, engaged external experts, including cybersecurity assessors, consultants, auditors, and legal counsel, in evaluating and testing our risk management systems and on a project-specific basis to assist us with projects that will improve our IT infrastructure, strengthen our products security posture, and improve our cyber readiness. This enables us to leverage specialized knowledge and insights, ensuring our cybersecurity strategies and processes remain current.

Company Information