QUEST PATENT RESEARCH CORP 10-K Cybersecurity GRC - 2024-03-28

Page last updated on April 11, 2024

QUEST PATENT RESEARCH CORP reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-03-28 09:00:33 EDT.

Filings

10-K filed on 2024-03-28

QUEST PATENT RESEARCH CORP filed an 10-K at 2024-03-28 09:00:33 EDT
Accession Number: 0001213900-24-026933

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBERSECURITY Risk Management We face significant and persistent cybersecurity risks due to the need to protect both our business generally, including our proprietary information and proprietary information of others, our negotiations with both funding sources and potential sellers of intellectual property and the need to protect the confidentiality of information concerning our personnel and others with whom we conduct business. As a company that owns and seeks to enforce intellectual property rights, we face threats from bad actors who seek to disrupt the business of companies that seek to monetize intellectual property rights by commencing litigation as well as others who are engaging in malicious activities for profit, to make a political point or for no particular reason other than creating disruption. Disclosure of certain information as a result of a cybersecurity breach may result is a breach of privacy laws. The substantial level of harm that could occur to us were we to suffer impacts of a material cybersecurity incident requires us to maintain robust governance and oversight of these risks and to implement mechanisms, controls, technologies, and processes designed to help us assess, identify, and manage these risks. While we have not, as of the date of this annual report, experienced a cybersecurity threat or incident, we cannot assure you that we will not experience such an incident in the future. Any cybersecurity incidents, whether or not successful, could result in our incurring additional costs related to, for example, rebuilding our internal systems, implementing additional threat protection measures, responding to regulatory inquiries or actions, paying damages or making payments to obtain access to our computer systems, or taking other remedial steps with respect to third parties, as well as incurring significant reputational harm. In addition, these threats are constantly evolving and the bad actors are becoming increasingly sophisticated, thereby increasing the difficulty of successfully defending against them or implementing adequate preventative measures. We seek to detect and investigate unauthorized attempts and attacks against our network and to prevent their occurrence and recurrence where practicable through changes or updates to our internal processes and tools and changes or updates to our products and services however, we remain potentially vulnerable to known or unknown threats. In some instances, we and the law firms that represent us in litigation can be unaware of a threat or incident or its magnitude and effects. Further, there are increasing regulation requirements regarding responses to cybersecurity incidents, including reporting to regulators, which could subject us to additional liability and reputational harm. Governance We apply NIST 800-53, which is a standardized risk management framework for managing and securing our information system. The first step in system authorization is system categorization. This step creates the baseline security controls, depending on the infrastructure and data type. Different data types require different levels of security. Examples of information types may be health care data, banking information or client data. In addition to data types, how and where data is stored is also a consideration when developing security controls. We have applied recommended security controls to match system categorization. For us, our data would be classified as company confidential. We do not store protected health information, personal identifiable information, which is information which permits the identity of an individual to whom the information applies to be reasonably inferred, or client financial information. For storage and processing of data, we use third party storage. We have reviewed the security of the third party systems as well as the security of law firms that we retain to enforce our intellectual property rights, and we believe that they comply with our standards. However, we cannot assure you that the steps we have taken will be sufficient. Our chief technical officer, Timothy Scahill, is responsible for our cybersecurity protection. Mr. Scahill is an ISC2 Certified Information System Security Professional. 40

Company Information