CorMedix Inc. 10-K Cybersecurity GRC - 2026-03-05

Page last updated on March 5, 2026

CorMedix Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2026-03-05 08:32:10 EST.

Filings

10-K filed on 2026-03-05

CorMedix Inc. filed a 10-K at 2026-03-05 08:32:10 EST
Accession Number: 0001213900-26-023889

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity Management and Strategy The Company has processes in place for assessing, identifying, preventing, and managing material risks from cybersecurity threats, including related to the use of third-party service providers. These processes are integrated into the Company's overall risk management program and systems, as overseen on a day-to-day basis by the Company's Senior Manager, IT. We maintain a formal data protection program consistent with the National Institute of Standards and Technology Cybersecurity Framework, including physical, technical and administrative safeguards to prevent and identify cybersecurity risks, and have implemented practices and procedures to address cybersecurity risks. To this end, among other things, we: ● provide annual mandatory training for our employees regarding cybersecurity threats as a means to equip them with effective tools to address cybersecurity threats, and to communicate our evolving information security policies, standards, processes and practices; ● conduct regular simulation modules for all employees to enhance awareness and responsiveness to possible threats; ● conduct cybersecurity management and incident training for employees involved in our systems and processes that handle sensitive data; and ● carry cyber liability insurance that is intended to provide protection against the potential losses arising from a cybersecurity incident; and ● review and monitor internal control audit reports for our significant third-party vendors to ensure sufficient controls are in place to mitigate security-related risks. In addition, we have in place a formal cybersecurity incident response plan, which we are currently harmonizing between the two companies as a result of the Merger in the third quarter of 2025. 31 CorMedix has a formal process to respond to events, identify incidents, and track progress for remediation. No events, either individually or in the aggregate of related occurrences, have materially affected the Company in the period covered by this Annual Report on Form 10-K. In determining materiality, cybersecurity incidents are reviewed not only for potential financial impacts, which could include potential legal and regulatory penalties, stolen assets or funds, system damage, forensic and remediation costs, lost revenue or litigation costs, but also the breadth and sensitivity of data exposure, data exfiltration, impacts on the ability to operate our business or provide our services and loss of investor confidence. While we are regularly exposed to malicious technology-related events and threats, none of these, either individually or in the aggregate of related occurrences, have materially affected the Company in the period covered by this Annual Report on Form 10-K. In determining materiality, cybersecurity incidents are reviewed not only for potential financial impacts, which could include potential legal and regulatory penalties, stolen assets or funds, system damage, forensic and remediation costs, lost revenue or litigation costs, but also the breadth and sensitivity of data exposure, data exfiltration, impacts on the ability to operate our business or provide our services and loss of investor confidence. Governance Our Board of Directors (the "Board") executes its oversight responsibility for risk management both directly and through delegating oversight of certain risks to its committees. In particular, the Board has authorized the Audit Committee to oversee risks related to cybersecurity threats. As part of that oversight function, the Audit Committee oversees the Company's risk assessment and risk management policies, including related to cybersecurity and the Company's overall data protection program. Our senior management is responsible for assessing and managing the Company's various exposures to risk, including those related to cybersecurity, on a day-to-day basis, including the identification of risks through an enterprise risk management framework and the creation of appropriate risk management programs and policies to address such risks. In particular, the Company's Senior Manager, IT, has 25 years of experience in enterprise IT and has primary responsibility for managing our cybersecurity program and efforts. Our finance and IT teams are responsible for the testing and audit of our information-technology related internal controls. Company management regularly reports to the Audit Committee on our cybersecurity program strategy and implementation, and on an ad-hoc basis, as needed, in the event of a security incident. See Item 1A, Risk Factors , for additional information on the Company's cybersecurity risk profile, in particular the risk factor under the headings entitled " Risks relating to data privacy could create additional liabilities for us ".

Company Information