TriSalus Life Sciences, Inc. 10-K Cybersecurity GRC - 2024-04-11

Page last updated on April 11, 2024

TriSalus Life Sciences, Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-04-11 16:36:30 EDT.

Filings

10-K filed on 2024-04-11

TriSalus Life Sciences, Inc. filed an 10-K at 2024-04-11 16:36:30 EDT
Accession Number: 0001826667-24-000005

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity Risk Management and Strategy Overview As cybersecurity threats rapidly evolve in sophistication and become more prevalent, especially with the increasing use of artificial intelligence technology, we have implemented a cybersecurity risk management program as part of our oversight, evaluation and mitigation of enterprise-level risks. We recognize the critical importance of developing, implementing, and maintaining robust cybersecurity measures to maintain the security, confidentiality, integrity, and availability of our business systems and confidential information, including personal information and intellectual property. Our cybersecurity risk management program leverages a combination of processes, technologies and personnel with expertise in cybersecurity to comply with applicable regulations and detect and respond to cyber-attacks, data breaches, security incidents, and compromises of personal information, as well as to regularly and promptly inform management and our Board of Directors of any significant cybersecurity risks and developments. Our company currently does not have a Chief Information Security Officer (“CISO”) due to our size our Director of Operations ( DO ), with assistance from our third-party information technology ( IT ) support firm, leads the Company s effort in establishing cybersecurity strategies and structures and helps identify, assess, and manage the Company s 81 Table of Contents cybersecurity threats and risk. Our DO regularly meets with our third-party IT support firm to discuss cybersecurity threats and risk. This team helps identify and assess risks from cybersecurity threats by monitoring and evaluating our threat environment using various methods and tools, for example, phishing and social engineering tests. We have worked, and expect to continue to work, with third-party service providers, as appropriate, to assess, identify and manage cybersecurity risks. As such, our DO meets with the senior management from our IT support firm regularly to discuss work requests and issues raised that may need to be added to the network for security. We also conduct periodic and on-demand assessments of our cybersecurity risk management program with expert service providers to ensure it remains current, given the changing risk environment. The DO regularly updates cybersecurity matters to the executive management team. We use third-party service providers to perform a variety of critical functions throughout our business, such as hosting providers, application providers, contract research organizations and contract manufacturing organizations. We have a vendor management program to manage cybersecurity risks associated with our use of these providers. Depending on the nature of the services provided, the sensitivity of the Information Systems and Data at issue, and the identity of the provider, our vendor management process may involve different levels of assessment designed to help identify cybersecurity risks associated with a provider and impose contractual obligations related to cybersecurity on the provider Our cybersecurity risk assessment and management processes are implemented and maintained by certain Company management, including our DO. Our DO is responsible for hiring appropriate personnel, helping to integrate cybersecurity risk considerations into the Company s overall risk management strategy, communicating key priorities to relevant employees and personnel, helping prepare for cybersecurity incidents, approving cybersecurity processes, and reviewing security assessments and other security-related reports. Our cybersecurity incident response plan is designed to escalate certain cybersecurity incidents to members of management depending on the circumstances. Our DO, with the appropriate members of management, will work with the Company s incident response team to help the Company mitigate and remediate cybersecurity incidents of which they are notified. In addition, the Company s incident response plan includes reporting to the Audit Committee of the board of directors for certain cybersecurity incidents. Governance Cybersecurity risks are overseen by the Board of Directors and the Audit Committee. The Audit Committee is central to the Board of Directors oversight of cybersecurity risks and bears the primary responsibility for overseeing cybersecurity risk. The Audit Committee actively participates in strategic decisions related to cybersecurity, offering guidance and approval for major cybersecurity initiatives. This involvement ensures that cybersecurity considerations are integrated into our broader strategic objectives. Our DO provides comprehensive updates to the Audit Committee quarterly and the full Board of Directors at least annually. These briefings have included a range of topics, such as: Current cybersecurity landscape and emerging threats Status of ongoing cybersecurity initiatives and strategies Incident reports and learnings from any cybersecurity events Metrics demonstrating company and industry-standard prevention of common threats and Regulatory changes impacting cybersecurity requirements and strategy. The Board of Directors is aware of the critical nature of managing risks associated with cybersecurity threats and is actively engaged in our cybersecurity risk management strategy. As of the date of this report, there have been no cybersecurity threats that have materially affected or are reasonably likely to materially affect our business, operations, or financial condition. For a description of the risks from cybersecurity threats that may materially affect the Company and how they may do so, see our risk factors under Part 1. Item 1A. Risk Factors in this Annual Report, including If our information technology systems or data, or those of third parties upon which we rely, are or were compromised, we could experience adverse consequences resulting from such compromise, including but not limited to regulatory investigations or actions litigation fines and penalties disruptions of our business operations reputational harm loss of revenue or profits and other adverse consequences. 82 Table of Contents

Company Information