XWELL, Inc. 10-K Cybersecurity GRC - 2024-04-16

Page last updated on April 16, 2024

XWELL, Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-04-16 17:30:26 EDT.

Filings

10-K filed on 2024-04-16

XWELL, Inc. filed an 10-K at 2024-04-16 17:30:26 EDT
Accession Number: 0001558370-24-005211

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBERSECURITY We operate in the health and wellness sector, which faces various cybersecurity risks that could adversely impact our business, financial condition, and operations. These risks include, but are not limited to, potential attacks to steal intellectual property, commit fraud or extortion, harm employees or customers, violate privacy laws, or damage our reputation. Recognizing the importance of cybersecurity, we have measures in place to protect sensitive information and prevent data loss or other security breaches. Management is actively involved in continuously assessing and addressing privacy and compliance cybersecurity threats through prevention, detection, and response. Our current program was established in 2022 and is based on the NIST Cybersecurity Framework ( NIST CSF ), outlining governance, policies, procedures, and technologies to identify and manage cyber risks. Our Director of Data Privacy & Security and the Privacy & Compliance Committee ( Committee ) oversee day-to-day cybersecurity activities, supported by our managed service provider ( MSP ) partner. The Director of Data Privacy & Security is a highly qualified cybersecurity governance practitioner with industry credentials such as Certified Information Systems Security Professional (CISSP), Certified Cloud Security Professional (CCSP), Project Management Professional (PMP), and Certified Secure Software Lifecycle Professional (CSSLP) amongst others. The Committee provides oversight and receives regular updates on program status, capabilities, objectives, and evolving threats. The Committee members include 31 Table of Contents our Director of Data Privacy & Security and Director of Technology Operations. In the event of a cybersecurity incident, the Committee would then be expanded to include our General Counsel. Data is collected and reviewed as needed and reviewed weekly by our Director of Technology Operations. The Committee reviews all potential incidents as well as all remediation and future mitigation measures. Formal updates regarding potential incidents and/or other cybersecurity initiatives are provided to our CEO on an as-needed basis, and our CEO communicates such incidents and/or cybersecurity initiatives to the Audit Committee of the Board of Directors (the Audit Committee ). Depending on the materiality of a potential incident and/or cybersecurity initiatives, the Committee will present all information directly to the Audit Committee. Our cybersecurity program implements a defense-in-depth strategy, ensuring comprehensive safeguards are in place across various security domains. These include Intrusion Detection Firewalls (IPS/IDS) with Advanced malware prevention (AMP), Azure Conditional Access Policies, Multi-Factor Authentication (MFA), Identity and Access Management (IAM), Vulnerability Management, Endpoint Detection and Response (EDR) using CrowdStrike Falcon Complete with Managed Detection and Response (MDR), Data Loss Prevention (DLP), Barracuda XDR for Security Information Event Management (SIEM) and ongoing Security Awareness and Phishing Simulation exercises via KnowBe4 aimed at mitigating the risk of social engineering attacks, and Mobile Device Security Management. A robust incident response system is in place via our MSP partner to handle all security incidents including email (malware, phishing, etc.), cloud, endpoint, data loss prevention alerts and incidents across the organization. Our information security governance is underpinned by standards and policies documents that are reviewed by the Committee and updated annually by the Director of Data Privacy & Security. Selection of domain areas for monitoring was based on a risk-based approach aligned with the NIST CSF and accounted for the current threat landscape. Through risk assessments evaluating threats, vulnerabilities, and potential impacts, domains are prioritized by severity and likelihood. This allows us to focus our monitoring strategy and resources on the highest risk areas while adapting to the evolving cybersecurity environment. When a security threat is detected, we follow an established process of threat identification and validation: assessment of the severity based on affected assets and potential impacts evaluation of overall risk as it relates to our risk tolerance planning and executing a response plan with mitigating actions continuous monitoring and adjustment of the response and conducting a post-incident review to identify lessons learned from such event and preventative measures. Key risks that have been deemed material include, but are not limited to, the potential for data exfiltration from unmanaged devices, insufficient staffing, and tools due to recent budgetary reductions, increased risk of managing of protected health information in-house, potentially ineffective cybersecurity governance due to singular reporting structure, and lack of visibility and protection for the remote workforce. While no major incident has significantly impacted our business, operations or financial condition, a breach could damage our reputation, disrupt operations, and trigger legal or regulatory actions, among others. We currently have cyber insurance to help cover potential impacts. Our disclosure outlines program highlights while summarizing key risks and plans to continue maturing cybersecurity capabilities to safeguard the business. The Audit Committee is responsible for oversight of risks from cybersecurity threats in conjunction with the Committee. The Audit Committee receives quarterly reports and updates from the Committee with respect to the management of risks from cybersecurity threats. Such reports cover our information technology security program, including its status, capabilities, objectives, and plans, as well as the evolving cybersecurity threat landscape. Additionally, the Audit Committee considers risks from cybersecurity threats as part of its oversight of our business strategy, risk management, and financial oversight by reviewing our incident and response matrix, as well as unmediated threats. In addition, The Committee will provide a mitigation and remediation roadmap based on threat criticality for review by the Audit Committee. We leverage the advice of our MSP partner to actively monitor our networks and software through their dedicated security operations center. We also have policies and procedures to oversee and identify the risks from cybersecurity threats associated with our use of third-party service providers. 32 Table of Contents A third-party risk management program was established in 2022, defining four vendor risk tiers based on data sensitivity, regulatory requirements, and service criticality. All vendors undergo risk assessments, with Tier 1 and 2 high-risk vendors facing more rigorous reviews during onboarding, offboarding, and annual recertifications. Vendors complete risk control surveys, with additional documentation like SOC reports requested from Tier 1 and 2 vendors depending on their risk profile. Each vendor is scored based on service type and data and their responses to the questionnaire. This risk-based approach ensures proper oversight of vendor relationships and informs decisions on both who and how we choose to partner.

Company Information