RETRACTABLE TECHNOLOGIES INC 10-K Cybersecurity GRC - 2024-03-29

Page last updated on April 11, 2024

RETRACTABLE TECHNOLOGIES INC reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-03-29 14:49:53 EDT.

Filings

10-K filed on 2024-03-29

RETRACTABLE TECHNOLOGIES INC filed an 10-K at 2024-03-29 14:49:53 EDT
Accession Number: 0001558370-24-004361

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity We prioritize cybersecurity throughout our operations to protect sensitive data, ensure device integrity, and maintain business continuity. Our strategy is built on a layered approach encompassing proactive risk assessments, vulnerability management, data security, device security, employee training, and incident response. We have a documented incident response plan outlining steps for detection, containment, eradication, and recovery from cyberattacks. We conduct regular incident response drills to ensure preparedness. We use threat intelligence feeds and industry reports to stay informed about evolving cyber threats targeting the medical manufacturing industry. We conduct annual comprehensive risk assessments using industry-standard methodologies and tailored questionnaires for medical manufacturing risks. We continuously monitor system logs and security alerts for suspicious activity indicative of potential attacks. We track and prioritize identified risks based on a risk scoring system considering factors like data sensitivity and operational disruption. We implement multi-factor authentication for all remote access and privileged accounts. We segment our network to isolate critical systems holding personal identifying information, corporate data, and operational data. We encrypt sensitive data at rest and in transit using industry-standard algorithms. We regularly patch vulnerabilities in our systems based on severity and potential exploitability. We have strict access controls in place, granting least privilege access based on job roles and responsibilities. We continuously monitor network activity for anomalies and suspicious behavior. Cybersecurity risks are integrated into our enterprise risk management framework and considered alongside other operational and financial risks during decision-making processes. The Information Security Officer (ISO) reports directly to the Chief Financial Officer (CFO) and regularly briefs the executive team on cybersecurity risks and mitigation strategies. We engage independent cybersecurity firms to conduct penetration testing, vulnerability assessments, and security audits of our IT and OT infrastructure. We also use external expertise for incident response support and regulatory compliance guidance. We conduct thorough cybersecurity risk assessments of all third-party vendors before onboarding, evaluating their security controls, data handling practices, and incident response capabilities. We require vendors to sign contracts that mandate adherence to specific cybersecurity standards and data privacy regulations. We conduct ongoing monitoring of vendor security posture and require them to promptly report any security incidents. The Board of Directors oversees the overall cybersecurity risk management program and holds management accountable for its effectiveness. The Board receives regular briefings on cybersecurity risks and mitigation strategies. The ISO regularly reports to the Board and executive management on the status of the cybersecurity risk management program, including key risks, mitigation strategies, and incident reports. The program is reviewed periodically to assess its effectiveness and identify areas for improvement. Management s role is to assist the Board in identifying and considering material cybersecurity risks, ensure implementation of management-level and employee-level cybersecurity practices and training, and provide the Board with regular reports regarding any cybersecurity attacks or vulnerabilities. As of the date of this Annual Report on Form 10-K, we believe that cybersecurity threats have not materially affected us, and, based on the current knowledge of Management, are not likely to materially affect us. The ISO handles developing, implementing, and maintaining the cybersecurity risk management program and reports directly to the CFO who has the authority to allocate resources and make decisions related to cybersecurity. A cross-functional committee composed of representatives from Management, IT, legal, compliance, operations and other relevant departments aids the ISO in managing cyber risks and developing program initiatives. Business unit and departmental leaders are responsible for implementing cybersecurity controls within their areas of responsibility and reporting potential risks to the ISO. Regular cybersecurity awareness training is provided to all employees to educate them on cyber threats, best practices, and reporting procedures. Management and IT personnel receive additional training on specific security concepts and risk management techniques. We are committed to continuous improvement of our cybersecurity risk management program. We actively monitor industry best practices and adapt our program to address evolving threats and risks.

Company Information