Shapeways Holdings, Inc. 10-K Cybersecurity GRC - 2024-03-28

Page last updated on April 11, 2024

Shapeways Holdings, Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-03-28 17:23:50 EDT.

Filings

10-K filed on 2024-03-28

Shapeways Holdings, Inc. filed an 10-K at 2024-03-28 17:23:50 EDT
Accession Number: 0001628280-24-013659

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. CYBERSECURITY Risk Management and Strategy We have implemented and maintain a cybersecurity program (the Cybersecurity Program ) that includes various processes designed to identify, assess, and manage material risks from cybersecurity threats. The Cybersecurity Program processes utilize a risk-based approach including a cybersecurity incident response plan. We work with a third-party vendor, which has extensive cybersecurity expertise to help protect and defend our networks, physical systems, infrastructure, and data from cybersecurity threats. This vendor has advised us on material cybersecurity-related risks and helped us establish controls designed to protect, detect, respond to, and recover from cybersecurity incidents. These controls include a firewall protection that is implemented in all three of our facilities, antivirus software protection, two-factor authentication enforced on all endpoints including Windows PCs and laptops, and intrusion prevention software designed to automatically block any unauthorized access attempts on our servers. Our cybersecurity controls are embedded within our overall risk management processes and technology, including a 24/7 threat monitoring system provided by the vendor. We are in the process of developing and implementing procedures to oversee or identify material risks from cyber threats associated with use of third party service providers. Governance The audit committee of our board of directors is responsible for oversight of the Company s cybersecurity and other information technology risks, controls and procedures, including the Company s plans to mitigate cybersecurity risks and to respond to data breaches. The audit committee receives quarterly updates on our Cybersecurity Program from our Chief Technology Officer ( CTO ) at its regularly-scheduled committee meetings or more frequently as needed. The chair of the audit committee then briefs the full board of directors on matters covered at the audit committee meeting, including cybersecurity matters. Our Cybersecurity and Information Technology team is led by our CTO, who is responsible for cybersecurity risk management. Our CTO has held multiple leadership positions in the information technology (“IT”) industry with responsibilities for and influence over cybersecurity implementation delivery. Our CTO executes the Cybersecurity Program and is informed about and monitors the prevention, detection, mitigation and remediation of cybersecurity incidents, with the support of the IT team and our third-party cybersecurity vendor. Our cybersecurity incident response framework is governed by our cybersecurity incident response plan, which sets out our approach for categorizing, responding to, and mitigating cybersecurity incidents. We have an incident response team whose primary responsibilities include: Evaluating and validating the impact of an incident Approving and implementing certain incident response countermeasures and remediation actions and Escalating incidents and response countermeasures for approval As of the date of this Report, we are not aware of any cybersecurity threats that have materially affected or are reasonably likely to materially affect us, including our business strategy, results of operations, or financial condition. However, the sophistication of cyber threats continues to increase, and the preventative actions we take to reduce the risk of cyber incidents and protect our systems and information may be insufficient. Accordingly, no matter how well our controls are designed or implemented, we will not be able to anticipate all security breaches, and we may not be able to implement effective preventive measures against such security breaches in a timely manner.

Company Information