Autonomix Medical, Inc. 10-K Cybersecurity GRC - 2025-05-29

Page last updated on May 30, 2025

Autonomix Medical, Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-05-29 17:00:54 EDT.

Filings

10-K filed on 2025-05-29

Autonomix Medical, Inc. filed a 10-K at 2025-05-29 17:00:54 EDT
Accession Number: 0001437749-25-018831

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity. Risk Management and Strategy We recognize that cybersecurity is integral to safeguarding our operations, intellectual property, patient data and stakeholder trust. Our cybersecurity risk management processes are designed to assess, identify and mitigate material risks from cybersecurity threats. Despite our best efforts to improve cybersecurity measures, there can be no assurance that our initiatives will fully mitigate the risks posed by cyber threats. The landscape of cybersecurity risks is constantly evolving and we will continue to assess and update our cybersecurity measures in response to emerging threats. Risk Assessment and Identification We have implemented security measures as part of an evolving cybersecurity posture and will continue to devote resources to address security vulnerabilities in an effort to prevent cyberattacks and mitigate the damage that could result from such an attack. As the Company does not have a physical office location, it does not have a local network or in-house servers and proprietary applications. We therefore utilize third-party applications and resources to support our information technology (“IT”) needs. All applications utilized by the Company are Software as a Service (“SaaS”) offerings. As our applications are developed and managed by third parties, we are dependent on these providers for many functions including disaster recovery during a disaster or cyber incident. We prioritize risks based on their potential impact to our financial condition, operational continuity and reputation. Our goal is to only utilize the most secure and trusted providers for our IT needs. Risk Management Processes Our cybersecurity strategy integrates multiple layers of defense to manage identified risks: - Preventive Controls : We deploy advanced firewalls, endpoint protection and intrusion detection systems to secure our network infrastructure. Multi-factor authentication and encryption are enforced across critical systems and data repositories. - Monitoring and Detection : Continuous monitoring of our IT environment is facilitated through our third -party service provider. - Incident Response : We maintain an incident response plan that outlines procedures for containment, eradication, and recovery from cybersecurity incidents. - Employee Training : All employees receive mandatory cyber security awareness training at onboarding, covering phishing prevention, secure data handling and how to recognize common attack strategies and reporting suspicious activities. Third-Party Risk Management We rely on third -party vendors for certain operational and IT services. To mitigate risks associated with these vendors, we will implement a vendor risk management program that includes: - Due diligence reviews of third -party vendors’ cybersecurity policies and practices prior to, and during, potential engagement. - Contractual requirements for third -party vendors to maintain robust security controls, where applicable, and report incidents promptly. Material Impact of Cybersecurity Risks Cybersecurity threats have the potential to disrupt operations, compromise sensitive data or lead to regulatory penalties. Our proactive risk management processes are designed to minimize the likelihood and impact of such events. As of March 31, 2025, we did not experience any cybersecurity incidents. Cybersecurity Governance The Audit Committee is responsible for oversight of cybersecurity risk. Our Chief Executive Officer and Chief Financial Officer are the members of management responsible for managing and assessing our cybersecurity practices. Our Chief Executive Officer and Chief Financial Officer have each served as executive officers of public companies in the past. The plan for the future is that they will report to the Audit Committee on cybersecurity on a semi-annual basis. Should any cybersecurity threat or incident be detected, our senior management team would timely report such threat or incident to the Audit Committee and provide regular communications and updates throughout the incident and any subsequent investigation, in order that the impact, materiality, and reporting requirements of such incident are appropriately identified and assessed for further necessary or appropriate action to be taken. We believe we are appropriately staffed (as supported by our outsourced IT provider) to support a healthy cybersecurity posture given our size and scope. Our Chief Financial Officer, who reports to the Chief Executive Officer, is directly responsible for IT functions. To date, there have been no risks identified from cybersecurity threats or previous cybersecurity incidents that have materially affected or are reasonably likely to materially affect the company. However, despite all of the above aforementioned efforts, a cyberattack, if it occurred, could cause system operational problems, disrupt service to clinical trial sites, compromise important data or systems or result in an unintended release of confidential information. See “Item 1A. Risk Factors” for additional discussion of cybersecurity risks impacting our Company.

Company Information