Velo3D, Inc. 10-K Cybersecurity GRC - 2024-04-03

Page last updated on April 11, 2024

Velo3D, Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-04-03 16:39:49 EDT.

Filings

10-K filed on 2024-04-03

Velo3D, Inc. filed an 10-K at 2024-04-03 16:39:49 EDT
Accession Number: 0001825079-24-000008

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity. We recognize the critical importance of maintaining the trust and confidence of all our stakeholders. Our Board is actively involved in oversight of our risk management program, and cybersecurity represents an important component of our overall approach to risk management. Our cybersecurity policies, standards, processes, and practices are fully integrated into our risk management program and are based on recognized frameworks established by the National Institute of Standards and Technology, the International Organization for Standardization and other applicable industry standards. In general, we seek to address cybersecurity risks through a comprehensive, cross-functional approach that is focused on preserving the confidentiality, security and availability of the information that we collect and store by identifying, preventing and mitigating cybersecurity threats and effectively responding to cybersecurity incidents when they occur. Risk Management and Strategy As one of the critical elements of our overall risk management approach, our cybersecurity program is focused on the following key areas: Governance: The Board s oversight of cybersecurity risk management is supported by the Audit Committee of the Board, which receives, at a minimum, quarterly reports and presentations from our risk management function, our Vice President Information Technology (our " VP of IT “) and other members of management. The Board and Audit Committee also receive prompt and timely information regarding material cybersecurity incidents as described below. Collaborative Approach: We have implemented a comprehensive, cross-functional approach to identifying, preventing, and mitigating cybersecurity threats and incidents, while also executing controls and procedures that provide for the prompt escalation of certain material cybersecurity incidents so that decisions regarding the public disclosure and reporting of such material incidents can be made by management in a timely manner. 54 Technical Safeguards: We deploy technical safeguards that are designed to protect our information systems from cybersecurity threats, including firewalls, intrusion prevention and detection systems, anti-malware functionality and access controls, which are evaluated and improved through vulnerability assessments and cybersecurity threat intelligence. Incident Response and Recovery Planning: We have established and maintain comprehensive incident response and recovery plans to address our response to cybersecurity incidents, and such plans are tested and reviewed on an as needed basis. Our cybersecurity program includes a dedicated security incident response team (the " SIRT “) responsible for identifying, investigating, and mitigating cybersecurity threats. The SIRT follows a well-defined incident response process encompassing intake, investigation, mitigation, and recovery. This process leverages tools for threat detection and utilizes standardized protocols for containment, root cause analysis, and system restoration. By integrating security measures with a robust response process, we aim to minimize the impact of potential cyber incidents. Incident Reporting and Communication: We have established protocols for reporting material cybersecurity incidents to management, stakeholders, and regulatory bodies as required. The Board is promptly informed and receives ongoing updates regarding material cybersecurity incidents as described below. Third-Party Risk Management: We maintain a comprehensive, risk-based approach to identifying and overseeing cybersecurity risks presented by third parties, including vendors, service providers and other external users of our systems, as well as the systems of third parties that could adversely impact our business in the event of a cybersecurity incident affecting those third-party systems. Education and Awareness: We provide annual mandatory training for personnel regarding cybersecurity threats to equip our employees and contractors with effective tools to address cybersecurity threats, and to communicate our evolving information security policies, standards, processes and practices. We engage in an annual assessment and testing of our policies, standards, processes and practices that are designed to address cybersecurity threats and incidents. These efforts include a wide range of activities, focused on evaluating the effectiveness of our cybersecurity measures and planning. Governance Our Board, supported by the Audit Committee, oversees our risk management process. The Audit Committee receives, at a minimum, quarterly presentations and reports on cybersecurity risks, which address a wide range of topics including recent developments, evolving standards, vulnerability assessments, the threat environment, technological trends and information security considerations arising with respect to our peers and third parties. The Board and the Audit Committee also receive prompt and timely information regarding any material cybersecurity incident that meets established reporting thresholds, as well as ongoing updates regarding any such incident until it has been addressed. Our VP of IT, in coordination with our executive management team, works collaboratively across the company to implement a program designed to protect our information systems from cybersecurity threats and to promptly respond to any cybersecurity incidents in accordance with our incident response and recovery plans. Through ongoing communications with our entire employee basis and appropriate third-party contractors, the VP of IT, and our Head of Information Security, as well as the management team monitor the prevention, detection, mitigation and remediation of cybersecurity threats and incidents in real time and report threats and incidents to the Audit Committee, as needed. Our VP of IT oversees information technology (” IT “) strategy, operations, cybersecurity, compliance, and business applications. They are dedicated to accelerating and scaling our company by implementing innovative technology across the company. Additionally, they are an accomplished IT executive with over 20 years of leadership experience driving transformative change across diverse industries, including manufacturing, supply 55 chain, and software as a service. The VP of IT is a skilled technical leader proficient in technology strategy, enterprise architecture, and program management. Our Head of Information Security, Governance, Risk and Compliance is CISA certified and has over 20 years of leadership experience in IT audit and governance, risk and compliance (” GRC “) at companies like Google, Cisco, Federal Reserve Bank, & Vodafone. They have substantial expertise in implementing SOX compliance, NIST compliance, COSO / COBIT framework, GDPR compliance, privacy compliance, regulatory compliance, internal IT audit, ITIL/ ITSM standards and risk assessment. Additionally, they have established our enterprise risk management program and leads our infosec steering committee. They have also been instrumental in automating GRC and continuous control monitoring to drive efficiency at our company. Although we are subject to ongoing and evolving cybersecurity threats, we are not aware of any material risks from cybersecurity threats in 2023 that have materially affected or are reasonably likely to materially affect us, including our business strategy, results of operations or financial condition. For more information on our cybersecurity risks, see " Risk Factors Risks Related to Compliance Matters Aspects of our business are subject to privacy, data use and data security regulations, which could increase our costs " and " Risks Related to Our Business and Industry We rely on our information technology systems to manage numerous aspects of our business and a disruption of these systems could adversely affect our business .

Company Information