Neuraxis, INC 10-K Cybersecurity GRC - 2024-04-16

Page last updated on April 16, 2024

Neuraxis, INC reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-04-16 16:33:32 EDT.

Filings

10-K filed on 2024-04-16

Neuraxis, INC filed an 10-K at 2024-04-16 16:33:32 EDT
Accession Number: 0001493152-24-014832

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBERSECURITY CYBERSECURITY RISK MANAGEMENT AND STRATEGY. NeurAxis has developed and implemented a cybersecurity framework intended to assess, identify and manage risks from threats to the security of our information, systems, products and network using a risk-based approach. The framework is informed in part by the National Institute of Standards and Technology (NIST) Cybersecurity Framework and International Organization for Standardization 27001 (ISO 27001) Framework, although this does not imply that we meet all technical standards, specifications, or requirements under the NIST or ISO 27001. Our key cybersecurity processes include the following: Risk-based controls for information systems and information on NeurAxis networks: We seek to maintain an information technology infrastructure that implements physical, administrative and technical controls that are calibrated based on risk and designed to protect the confidentiality, integrity and availability of our information systems and information stored on NeurAxis networks, including customer information, personal information, PHI/PII, intellectual property and proprietary information. Cybersecurity incident policies: We have cybersecurity incident policies, an incident response plan and a dedicated team to respond to cybersecurity incidents, including experienced counsel. When a cybersecurity incident occurs or we identify a vulnerability, the dedicated team is responsible for leading the initial assessment of priority and severity, including external experts that may also be engaged as appropriate. NeurAxis response to incidents depends on the severity level and seeks to improve its cybersecurity incident response plan. NeurAxis, through experienced cybersecurity and HIPAA/HITECH counsel, has developed a security manual and a privacy policy. 60 Training: We provide security awareness training to help our employees understand their information protection and cybersecurity responsibilities at NeurAxis. We also provide additional role-based training to some employees based on customer requirements, regulatory obligations, and industry risks. Supplier risk assessments: We have participated in several third-party risk assessment processes that include expectations regarding information and cybersecurity. NeurAxis also seeks contractual commitments from key suppliers to appropriately secure and maintain their information technology systems and protect NeurAxis information that is processed or stored on their systems. This may or may not include business associate agreements, downstream vendor agreements and vendor auditing in some cases. Third-party assessments of NeurAxis: We have third-party cybersecurity companies engaged to assess NeurAxis cybersecurity readiness and to assist in identifying and remediating risks from cybersecurity threats. NeurAxis has a real time cybersecurity partner that monitors our servers 24/7/365 for any attempted intrusions. We have not identified risks from known cybersecurity threats, that have materially affected us, including our operations, business strategy, results of operations, cash flows or financial condition. We face certain ongoing risks from cybersecurity threats, including active interactions with children s hospitals while assisting with insurance prior approvals, that, if realized, are reasonably likely to materially affect us, including our operations, business strategy, results of operations, cash flows or financial condition. CYBERSECURITY GOVERNANCE. NeurAxis Board of Directors is responsible for oversight of cybersecurity risk. The Board receives reporting about NeurAxis practices, programs, notable threats or incidents and other developments related to cybersecurity throughout the year, including through periodic updates from NeurAxis Chief Regulatory Officer/Privacy Officer and VP of IT/Security Officer. NeurAxis Security Officer reports to NeurAxis Chief Regulatory Officer and together, they lead the Company s overall cybersecurity function. The Security Officer has over 12 years of experience in managing and leading IT or cybersecurity teams and participates in various cyber security trainings frequently. The Security Officer collaborates with NeurAxis personnel and our outside IT vendors to identify and analyze cybersecurity risks to NeurAxis, considers industry trends, implement controls, as appropriate and feasible, to mitigate these risks and enables business leaders to make risk-based business decisions that impact cybersecurity considerations. The Security Officer meets with senior leadership to review and discuss NeurAxis cybersecurity program, including emerging cyber risks, threats, and industry trends. The Security Officer also supervises efforts to prevent, detect, mitigate, and remediate cybersecurity risks and incidents through various means, including by collaborating with external security personnel and business stakeholders, and incorporating threat intelligence and other information obtained from governmental, public, or private sources to strengthen our cybersecurity technologies and processes.

Company Information