DELCATH SYSTEMS, INC. 10-K Cybersecurity GRC - 2026-02-26

Page last updated on February 26, 2026

DELCATH SYSTEMS, INC. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2026-02-26 09:15:35 EST.

Filings

10-K filed on 2026-02-26

DELCATH SYSTEMS, INC. filed a 10-K at 2026-02-26 09:15:35 EST
Accession Number: 0001628280-26-012019

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity. We have implemented and maintain various information security processes designed to identify, assess and manage material risks from cybersecurity threats to our critical computer networks, third party hosted services, communications systems, hardware and software, and our critical data, including intellectual property, confidential information that is proprietary, strategic or competitive in nature, and clinical trial data results ("Information Systems and Data"). The Company's Chief Financial Officer ("CFO"), Associate Vice President of Information Technology ("AVPIT") and other IT professionals (together, "IT Team") help identify, assess and manage cybersecurity risk, including input from employees, and devote resources to cybersecurity and risk management processes to adapt to the changing cybersecurity landscape and respond to emerging threats. The IT Team identifies and assesses risks from cybersecurity threats by monitoring and evaluating our threat environment and the Company's risk profile using various methods including, for example, maintaining manual and automated tools, conducting scans of threats and threat actors, subscribing to reports and services that identify cybersecurity threats, evaluating threats reported to us, completing internal and external audits, using external intelligence feeds and completing third-party threat assessments. We have processes and standards to address cybersecurity matters and mitigate material cybersecurity risk. We implement and maintain various technical, physical, and organizational measures, processes, standards and policies designed to manage and mitigate material risks from cybersecurity threats to our Information Systems and Data, including , for example, access controls, identity and access management controls, multi-factor authentication across remote access and cloud-based systems, endpoint protection, malware prevention, disaster recovery and business continuity plans, incident detection and response procedures, and remote access security. All employees are required to complete cybersecurity training at least once a year, and employees also participate in periodic security awareness activities, including simulated phishing exercises, to reinforce cybersecurity best practices. Our assessment and management of material risks from cybersecurity threats are integrated into the Company's overall risk management processes. For example, our AVPIT along with management evaluates material risks from cybersecurity threats against our overall business objectives and reports to the Board, which evaluates our overall enterprise risk. The IT Team has a dedicated staff with combined experience of over 30 years with degrees in Computer Science and Information Science. The IT Team is responsible for reporting on cybersecurity matters to the Board. We support our information security program with external resources including cybersecurity software providers and advisors, as appropriate. We have a vendor management process to manage cybersecurity risks associated with our use of external providers that includes security reviews conducted prior to onboarding new systems or services, reviews of vendor audits and reports, and contractual obligations related to information security. Depending on the nature of the services provided, the sensitivity of the Information Systems and Data at issue, and the identity of the provider, our vendor management process may involve different levels of assessment designed to help identify cybersecurity risks associated with a provider and impose contractual obligations related to cybersecurity on the provider. Our assessment of risks associated with the use of third-party providers is part of our overall cybersecurity risk management framework. The Board, as part of its general oversight function, participates in discussions with senior management and amongst themselves regarding cybersecurity risks. With the assistance of the Company's most senior IT staff, we review annually the cyber and data security risks of our overall IT environment. We assess cybersecurity risk and the overall environment, which includes devices, IT systems, websites, social media accounts, manufacturing technology and systems and suppliers and vendors. The oversight from the Board includes material changes to relevant policies, procedures, employee training, and elements of the overall environment, as necessary, and senior management provides updates to the Board regarding emerging cybersecurity threats. The Board has access, as requested, to various reports, summaries or presentations related to cybersecurity, risk and mitigation efforts. Our cybersecurity incident response plan is designed to escalate certain cybersecurity incidents to members of senior management depending on the circumstances. Senior management works with the Company's cybersecurity incident response team to mitigate and remediate cybersecurity incidents of which they are notified. The cybersecurity incident response plan also includes reporting to the Board for certain cybersecurity incidents. Disaster recovery and business continuity plans are reviewed on an ongoing basis and evaluated periodically to support the resiliency of the Company's Information Systems and Data. We face a number of cybersecurity risks in connection with our business. For more information about the cybersecurity risks we face, see the risk factor entitled " We and the third parties with whom we work rely on the proper function, availability and security of information technology systems to operate our business and a cyber-attack or other breach of these systems, or our data, could have a material adverse effect on our business, including by not limited to regulatory investigations or actions; litigation; fines and penalties; disruptions of our business operations; reputational harm; loss of revenue or profits; and other adverse consequences " in Item 1A - Risk Factors.

Company Information