908 Devices Inc. 10-K Item 1C. Cybersecurity - 2026-03-09
908 Devices Inc. disclosed their cybersecurity strategy, risk management and governance process in an annual SEC Filing 10-K filing on 2026-03-09 06:12:00 EDT
Company Summary
908 Devices Inc. develops and manufactures purpose-built handheld and desktop analytical devices for point-of-need chemical and biochemical analysis, leveraging microscale mass spectrometry, optical spectroscopy, microfluidics, and embedded analytics/machine learning for applications in forensics, bioprocessing, pharma/biopharma and life sciences.
Filings
10-K filed on 2026-03-09
908 Devices Inc. filed an SEC Filing 10-K filing on 2026-03-09 06:12:00 EDT.
Accession Number: 0001104659-26-024877
Item 1C. Cybersecurity
Item 1C - Cybersecurity
Item 1C. Cybersecurity.
Cybersecurity Risk Management and Strategy
We have implemented and maintain various information security processes designed to identify, assess and manage material risks from cybersecurity threats to our critical computer networks, third party hosted services, communications systems, hardware and software, and our critical data, including intellectual property and confidential information that is proprietary, strategic or competitive in nature (collectively, Information Systems and Data).
Our Senior Director of Information Technology and our incident response team are tasked with helping to identify, assess and manage the Company's cybersecurity threats and risks. They identify and assess risks from cybersecurity threats by monitoring and evaluating our threat environment and the Company's risk profile using various methods including, for example: manual tools, automated tools, subscribing to reports and services that identify cybersecurity threats, conducting scans of the threat environment, internal and external audits, and conducting vulnerability assessments to identify vulnerabilities.
Depending on the environment, we implement and maintain various technical, physical, and organizational measures, processes, standards and policies designed to manage and mitigate material risks from cybersecurity threats to our Information Systems and Data, including, for example: incident response plans , disaster recovery and business continuity plans, risk assessments, encryption of data, network security controls, data segregation, access controls, physical security measures, systems monitoring, employee training, penetration testing, cybersecurity insurance, as well as asset management, tracking and disposal.
Our assessment and management of material risks from cybersecurity threats are integrated into the Company's overall risk management processes. For example, as part of our cybersecurity risk management program, we have a process to assess and review the cybersecurity practices of major third-party vendors and service providers that access, process, collect, share, create, store, transmit or destroy our information or have access to our systems, including through review of applicable certifications, and security reports, and contractual requirements, as appropriate.
From time to time, we use third-party service providers to assist us in an effort to identify, assess, and manage material risks from cybersecurity threats, including, for example: cybersecurity software providers, managed cybersecurity service providers, and penetration testing firms.
We use third-party service providers to perform a variety of functions throughout our business, such as application providers and hosting companies. We have a vendor management program designed to manage cybersecurity risks associated with our use of these providers, which includes, as appropriate, a review of the relevant vendor's security program. Depending on the nature of the services provided, the sensitivity of the Information Systems and Data at issue, and the identity of the provider, our vendor management process may involve different levels of assessment designed to help identify cybersecurity risks associated with a provider and impose contractual obligations related to cybersecurity on the provider.
For a description of the risks from cybersecurity threats that may materially affect the Company and how they may do so, see our risk factors under Part 1. Item 1A. Risk Factors in this Annual Report on Form 10-K, including "We and the third parties with whom we work are subject to stringent and evolving U.S. and foreign laws, regulations, and rules, contractual obligations, industry standards, policies and other obligations related to data privacy and security. Our actual or perceived failure (or that of the third parties with whom we work) to comply with such obligations could lead to regulatory investigations or actions; litigation (including class claims) and mass arbitration demands; fines and penalties; disruptions of our business operations; reputational harm; loss of revenue or profits; loss of customers or sales; and other adverse business consequences."
Governance Related to Cybersecurity Risks
Our board of directors, as a whole and through its committees, holds overall oversight responsibility for our risk management processes, including in relation to risks from cybersecurity threats. Our board of directors exercises its oversight function through the audit committee , which oversees the management of risk exposure across various areas, including cybersecurity risks. The audit committee receives quarterly reports from our Senior Director of Information Technology on the status of our cybersecurity program, including measures designed to monitor and address cybersecurity risks and threats, as appropriate. The Chair of the audit committee provides a quarterly report to the board of directors, which includes updates on certain cybersecurity matters, as applicable.
Our Senior Director of Information Technology is responsible for the day-to-day administration and management of our cybersecurity program, including hiring appropriate personnel, helping to integrate cybersecurity risk considerations
into the Company's overall risk management strategy, and communicating key priorities to relevant personnel. The Senior Director of Information Technology is also responsible for approving budgets, helping prepare for cybersecurity incidents, approving cybersecurity processes, and reviewing security assessments and other security-related reports. Our Senior Director of Information Technology has approximately 21 years of information technology experience, including 12 years of cybersecurity experience. We also work with external security service providers to support our security monitoring and threat detection capabilities and have implemented a process to report relevant findings to the Senior Director of Information Technology and other members of executive management, where appropriate.
Our cybersecurity incident response processes are designed to escalate certain cybersecurity incidents to members of management depending on the circumstances, including our Chief Financial Officer and Chief Legal and Administrative Officer, who work with the Company's incident response team to help the Company respond to, mitigate and remediate cybersecurity incidents of which they are notified. In addition, the Company's incident response processes include reporting to the audit committee of the board of directors for certain cybersecurity incidents.
Company
Profile
| Name | 908 Devices Inc. |
|---|---|
| CIK | 1555279 |
| SIC Description | |
| Industry | |
| Ticker | MASS |
| Website | https://908devices.com/ |
| Category | Non-accelerated Filer |
| Fiscal Year End | December 31 |