BIOLARGO, INC. 10-K Cybersecurity GRC - 2024-04-01

Page last updated on April 11, 2024

BIOLARGO, INC. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-04-01 16:45:45 EDT.

Filings

10-K filed on 2024-04-01

BIOLARGO, INC. filed an 10-K at 2024-04-01 16:45:45 EDT
Accession Number: 0001437749-24-010394

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity for additional details on our cybersecurity program. Because of high inflation and increased Federal Reserve interest rates in response, and world events, the effect on the capital markets and the economy is uncertain, and we may have to deal with a recessionary economy and economic uncertainty. Certain events have affected the global and United States economy including continued inflation, Federal Reserve interest rate increases in response, substantial increases in the prices of oil and gas, dramatic declines in the capital markets, and world events such as Russia s invasion of Ukraine and other world power s developing response to the invasion. The duration of Russia s war and its impact are at best uncertain. The economy appears to be headed into a recession with uncertain and potentially severe impacts upon public companies and us. We cannot predict how this will affect the market for our products and services, but the impact may be adverse. 17 Table of Contents The global banking system has recently come under increased pressure and uncertainty about every bank s ability to maintain solvency in times of crisis and when a run on the bank occurs. While the US Government has taken action to stabilize the current banking situation, it is not possible to predict the future and the psychology of the market can be fickle and unpredictable. Our company is not exposed to the risk associated with smaller regional banks like Silicon Valley Bank, but we do maintain balances in excess of the $250,000 FDIC insurance level, at large money center banks and as such should the actions taken by the US Government fail to mitigate the situation, impacts could extend to the largest banks in the world, including ours. A recession in the United States may affect our business. If the U.S. economy were to contract into a recession or depression, our existing clients, and potential future clients, may divert their resources to other goods and services, and our business may suffer. Risks Relating to our Common Stock The sale or issuance of our common stock to Lincoln Park may cause dilution, and the sale of the shares of common stock acquired by Lincoln Park, or the perception that such sales may occur, could cause the price of our common stock to fall. On December 13, 2022, we entered into a Purchase Agreement with Lincoln Park (“LPC Agreement”), pursuant to which Lincoln Park agreed to purchase from us at our request up to an aggregate of $10,000,000 of our common stock (subject to certain limitations) from time to time over a period of three years. We generally have the right to control the timing and amount of any sales of our shares to Lincoln Park. Sales of our common stock, if any, to Lincoln Park will depend on market conditions and other factors to be determined by us. We may ultimately decide to sell to Lincoln Park all, some or none of the shares of our common stock that may be available for us to sell pursuant to the LPC Agreement. If and when we do sell shares to Lincoln Park, after Lincoln Park has acquired the shares, Lincoln Park may resell all, some or none of those shares at any time or from time to time at its discretion. Therefore, sales to Lincoln Park by us could result in substantial dilution to the interests of other holders of our common stock, as well as sales of our stock by Lincoln Park into the open market causing fluctuations or reductions in the price of our common stock. Additionally, the sale of a substantial number of shares of our common stock to Lincoln Park, or the anticipation of such sales, could make it more difficult for us to sell equity or equity-related securities in the future at a time and at a price that we might otherwise desire to effect sales. Our common stock is thinly traded and largely illiquid. Our stock is currently quoted on the OTC Markets (OTCQB). Being quoted on the OTCQB has made it more difficult to buy or sell our stock and from time to time has led to a significant decline in the frequency of trades and trading volume. Continued trading on the OTCQB will also likely adversely affect our ability to obtain financing in the future due to the decreased liquidity of our shares and other restrictions that certain investors have for investing in OTCQB traded securities. While we intend to seek listing on the Nasdaq Stock Market ( Nasdaq ) or another national stock exchange when our company is eligible, there can be no assurance when or if our common stock will be listed on Nasdaq or another national stock exchange. The market price of our stock is subject to volatility. Our stock price has been and is likely to continue to be volatile. As a result of this volatility, investors may not be able to sell their common stock at or above their purchase price. The market price of our common stock may fluctuate significantly in response to numerous factors, many of which are beyond our control, including: developments with respect to patents or proprietary rights announcements of technological innovations by us or our competitors announcements of new products or new contracts by us or our competitors actual or anticipated variations in our operating results due to the level of research and development expenses and other factors changes in financial estimates by securities analysts and whether any future earnings of ours meet or exceed such estimates conditions and trends in our industry new accounting standards the size of our public float short sales, hedging, and other derivative transactions involving our common stock sales of large blocks of our common stock including sales by our executive officers, directors, and significant stockholders general economic, political and market conditions and other factors our decision to sell our stock to Lincoln Park the activities of third parties that market and distribute our products, and decisions made by them to increase or decrease such activities, resulting in increases or decreases in product purchases from us and thus our revenues the occurrence of any of the risks described herein. 18 Table of Contents You may have difficulty selling our stock because it is deemed a penny stock and not quoted on a national exchange. Because our common stock is not quoted or listed on a national securities exchange, if the trading price of our common stock remains below $5.00 per share, which we expect for the foreseeable future, trading in our common stock will be subject to the requirements of certain rules promulgated under the Securities Exchange Act of 1934, as amended (the Exchange Act ), which require additional disclosure by broker-dealers in connection with any trades involving a stock defined as a penny stock (generally, any non-Nasdaq equity security that has a market price of less than $5.00 per share, subject to certain exceptions). Such rules require the delivery, before any penny stock transaction, of a disclosure schedule explaining the penny stock market and the risks associated therewith and impose various sales practice requirements on broker-dealers who sell penny stocks to persons other than established customers and accredited investors (generally defined as an investor with a net worth in excess of $1,000,000 or annual income exceeding $200,000 individually or $300,000 together with a spouse). For these types of transactions, the broker-dealer must make a special suitability determination for the purchaser and have received the purchaser s written consent to the transaction before the sale. The broker-dealer also must disclose the commissions payable to the broker-dealer and current bid and offer quotations for the penny stock and, if the broker-dealer is the sole market-maker, the broker-dealer must disclose this fact and the broker-dealer s presumed control over the market. Such information must be provided to the customer orally or in writing before or with the written confirmation of trade sent to the customer. Monthly statements must be sent disclosing recent price information for the penny stock held in the account and information on the limited market in penny stocks. The additional burdens imposed on broker-dealers by such requirements could discourage broker-dealers from effecting transactions in our common stock, which could severely limit the market liquidity of our common stock and the ability of holders of our common stock to sell their shares. Because our shares are deemed a penny stock, rules enacted by FINRA make it difficult to sell previously restricted stock. Rules put in place by the Financial Industry Regulatory Authority (FINRA) require broker-dealers to perform due diligence before depositing unrestricted common shares of penny stocks, and as such, some broker-dealers, including many large national firms (such as eTrade and Charles Schwab), are refusing to deposit previously restricted common shares of penny stocks. We routinely issued non-registered restricted common shares to investors, vendors and consultants. The issuance of such shares is subjected to the FINRA-enacted rules. As such, it can be difficult for holders of restricted stock, including those issued in our private securities offerings, to deposit the shares with broker-dealers and sell those shares on the open market. Because we will not pay dividends in the foreseeable future, stockholders will only benefit from owning common stock if it appreciates. We have never declared or paid a cash dividend to stockholders. We intend to retain any earnings that may be generated in the future to finance operations. Accordingly, any potential investor who anticipates the need for current dividends from his investment should not purchase our common stock, and must rely on the benefit of owning shares, and presumably a rise in share price. We cannot predict the future price of our stock, and due to the factors enumerated herein, can make no assurance of a future increase in the price of our common stock. We regularly issue stock, or stock options, instead of cash, to pay some of our operating expenses. These issuances are dilutive to our existing stockholders. We are party to agreements that provide for the payment of, or permit us to pay at our option, securities rather than cash in consideration for services provided to us. We include these provisions in agreements to allow us to preserve cash. We anticipate that we will continue to do so in the future. All such issuances preserve our cash reserve but are also dilutive to our stockholders because they increase (and will increase in the future) the total number of shares of our common stock issued and outstanding, even though such arrangements assist us with managing our cash flow. These issuances also increase the expense amount recorded. Our stockholders face further potential dilution in any new financing. During the year ended December 31, 2023, we issued approximately 14.5 million shares of common stock. Our private securities offerings typically offer convertible securities, including notes and warrants. Those warrants often include provisions that require investors to pay for the underlying shares with cash, which if executed would generate working capital for the company. Any additional capital that we raise would dilute the interest of the current stockholders and any persons who may become stockholders before such financing. Given the price of our common stock, such dilution in any financing of a significant amount could be substantial. Our stockholders face further potential adverse effects from the terms of any preferred stock that may be issued in the future. Our certificate of incorporation authorizes 50 million shares of preferred stock. None are outstanding as of the date hereof. In order to raise capital to meet expenses or to acquire a business, our board of directors may issue additional stock, including preferred stock. Any preferred stock that we may issue may have voting rights, liquidation preferences, redemption rights and other rights, preferences and privileges. The rights of the holders of our common stock will be subject to, and in many respects subordinate to, the rights of the holders of any such preferred stock. Furthermore, such preferred stock may have other rights, including economic rights, senior to our common stock that could have a material adverse effect on the value of our common stock. Preferred stock, while providing desirable flexibility in connection with possible acquisitions and other corporate purposes, can also have the effect of making it more difficult for a third party to acquire a majority of our outstanding voting stock, thereby delaying, deferring or preventing a change in control of our company. Risks Related to Privacy, Cybersecurity, and Our Technology Our business involves the use, transmission and storage of confidential information, and the failure to properly safeguard such information could result in significant reputational harm. We may at times collect, store, and transmit information of, or on behalf of, our clients that may include certain types of confidential information that may be considered personal or sensitive, and that are subject to laws that apply to data breaches. We believe that we take reasonable steps to protect the security, integrity, and confidentiality of the information we collect and store, but there is no guarantee that inadvertent or unauthorized disclosure will not occur or that third parties will not gain unauthorized access to this information despite our efforts to protect this information, including through a cyber-attack that circumvents existing security measures and compromises the data that we store. If such unauthorized disclosure or access does occur, we may be required to notify persons whose information was disclosed or accessed. Most states have enacted data breach notification laws and, in addition to federal laws that apply to certain types of information, such as financial information, federal legislation has been proposed that would establish broader federal obligations with respect to data breaches. We may also be subject to claims of breach of contract for such unauthorized disclosure or access, investigation and penalties by regulatory authorities and potential claims by persons whose information was disclosed. The unauthorized disclosure of information, or a cyber-security incident involving data that we store, may result in the termination of one or more of our commercial relationships or a reduction in client confidence and usage of our services. We may also be subject to litigation alleging the improper use, transmission, or storage of confidential information, which could damage our reputation among our current and potential clients and cause us to lose business and revenue. 19 Table of Contents ITEM 1B. UNRESOLVED STAFF COMMENTS None. ITEM 1C. CYBERSECURITY The Company has processes for assessing, identifying, and managing material risks from cybersecurity threats. These processes are integrated into the Company s overall risk management systems, as overseen by the Company s chief executive officer and board of directors. The Company engages information technology managed service providers (MSPs) to manage the Company s computer and information systems at its three office locations and remote locations. The MSPs are responsible for evaluating and testing the Company s risk management systems and assessing and remediating potential cybersecurity incidents as appropriate. The executives in charge of each physical office location are responsible for assessing and managing cybersecurity risks for their locations, and the Company s chief executive officer is responsible for assessing and managing cybersecurity risks to the Company as a whole. Because none of these individuals has specific training or experience in managing cybersecurity risks, MSPs that have expertise and experience in doing so are retained and relied upon. Our chief executive officer is responsible for escalating any cybersecurity matters as appropriate, in consultation with our legal counsel. Our board of directors is ultimately responsible for oversight of cybersecurity risk management and receives regular reports from Company management.
ITEM 1C. CYBERSECURITY The Company has processes for assessing, identifying, and managing material risks from cybersecurity threats. These processes are integrated into the Company s overall risk management systems, as overseen by the Company s chief executive officer and board of directors. The Company engages information technology managed service providers (MSPs) to manage the Company s computer and information systems at its three office locations and remote locations. The MSPs are responsible for evaluating and testing the Company s risk management systems and assessing and remediating potential cybersecurity incidents as appropriate. The executives in charge of each physical office location are responsible for assessing and managing cybersecurity risks for their locations, and the Company s chief executive officer is responsible for assessing and managing cybersecurity risks to the Company as a whole. Because none of these individuals has specific training or experience in managing cybersecurity risks, MSPs that have expertise and experience in doing so are retained and relied upon. Our chief executive officer is responsible for escalating any cybersecurity matters as appropriate, in consultation with our legal counsel. Our board of directors is ultimately responsible for oversight of cybersecurity risk management and receives regular reports from Company management.

Company Information