Page last updated on July 16, 2024
AMERICAN SHARED HOSPITAL SERVICES reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-04-01 15:20:12 EDT.
Filings
10-K filed on 2024-04-01
AMERICAN SHARED HOSPITAL SERVICES filed a 10-K at 2024-04-01 15:20:12 EDT
Accession Number: 0001437749-24-010308
Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!
Item 1C. Cybersecurity.
Item 1C. Cybersecurity" below, there is no guarantee that the IT infrastructure developed by the Company and the cybersecurity measures implemented by the Company will be successful in preventing and defending against the evolving and increasingly sophisticated range of cyber incidents that the Company could be exposed to. Furthermore, there can be no assurance that the Company’s cybersecurity risk management strategy and processes will be fully implemented, complied with, or effective in safeguarding the Company’s data, systems, and information. Any actual compromise of or perceived threat to the Company’s IT systems and infrastructure could cause significant legal and financial exposure for the Company, damage the Company’s reputation, and create adverse publicity, which could adversely affect the Company’s business, operations, and financial condition. Any necessary response to a cyber-attack, which could include analyzing a security incident, patching up security vulnerabilities, notifying individuals affected by the incident, determining the materiality of the incident, disclosing the incident in accordance with any applicable legal and regulatory requirements, and responding to any resulting litigation, could also divert the Company’s resources and attention from its growth operations and business objectives, which could further hinder its operational and financial performance. Stock Ownership Risk The trading volume of the Company ’ s common stock is low Although the Company’s common stock is listed on the NYSE American, the Company’s common stock has historically experienced low trading volume. Reported average daily trading volume in our common stock for the three-month period ended December 31, 2023 was approximately 10,000 shares. There is no reason to think that a further increase in an active trading market in the Company’s common stock will develop in the future. Limited trading volume subjects the Company’s common stock to greater price volatility and may make it difficult for shareholders to sell their shares in a quantity or at a price that is attractive. ITEM 1B. UNRESOLVED STAFF COMMENTS None. ITEM 1C. CYBERSECURITY The Company recognizes the importance of securing its information, devices, and data and the IT systems it relies on to conduct its business. The Company has established its Network, Information, and Data Security Policy Guidelines (the “NIDSP Guidelines”) designed to protect the integrity and confidentiality of data and information belonging to or being exchanged by the Company and its employees, partners, customers, service providers, and suppliers and to safeguard that information and the Company’s IT infrastructure from unauthorized access, use, disclosure, alteration, and destruction. Risk Management and Strategy The protections, procedures, and controls set forth in the NIDSP Guidelines demonstrate the Company’s attention to and prioritization of cybersecurity as a component of its overall strategy and system for managing risks. The NIDSP Guidelines include five policies described below, that together define the Company’s strategy and practices for managing cybersecurity threats and mitigating cybersecurity risks. ● Physical Security Policy (the " PSP " ). The PSP establishes guidelines related to selecting IT operation sites, designating security zones, using, inspecting, and storing IT Assets, designing restricted-access and security controls, and monitoring compliance with safety and security standards. The goal of the PSP is to minimize risks of damage, destruction, unauthorized access, inadvertent disclosure, misuse, loss, or theft of the Company’s IT Assets. In accordance with the PSP, the Company: (i) evaluates IT operation sites based on their susceptibility to natural disasters, crime and theft, and unauthorized access; (ii) requires the use of keycards or biometrics in order to enforce security zones and give users the least amount of access required to do their jobs; (iii) requires systems and devices that store confidential data to be maintained and protected in accordance with the Company’s Confidential Data Policy; and (iv) requires visitors at the Company’s office to complete a sign-in log, wear a visitor badge, and be escorted by a designated employee at all times. ● Network Security Policy (the " NSP " ). The NSP aims to protect the integrity of the Company’s data by securing the systems and devices that make up the Company’s network infrastructure. Pursuant to the NSP, the Company: (i) enforces strict password-construction criteria for network devices; (ii) requires employees to verify their identities using multi-factor authentication to access internal resources; (iii) maintains and reviews logs from application services, network devices, and critical devices and requires the retention of logs in accordance with the Company’s Retention Policy; (iv) implements and configures firewall technology to filter both inbound and outbound network connections; (v) authorizes the IT Manager to determine the extent and scope of external security testing to be performed; (vi) establishes a software-use policy; and (vii) requires antivirus and anti-malware software to be used and timely patched and updated on any Company-provided devices. ● Backup Policy. The Company’s Backup Policy applies to all data stored on Company systems. The Backup Policy specifies the types of data and information considered to be critical to the Company’s operations and thus required to be backed up, establishes a backup schedule that is necessary for successful data recovery, and implements procedures for the off-site rotation, storage, and retention of backups. The Backup Policy also establishes the Company’s data-restoration procedures and mandates the periodic testing of those procedures. ● Remote Access Policy (the " RAP " ). The RAP defines the Company’s standards for accessing IT resources from outside the Company’s network, such as when an employee is working remotely. Pursuant to the RAP, remote access is only permitted if accomplished through secure, Company-provided means. The Company’s uses remote-access software designed to guard against unauthorized access using traffic encryption during transmission and firewall protections. ● Confidential Data Policy (the " CDP " ). The CDP governs the handling, storage, transmission, destruction, and protection of confidential data. Pursuant to the CDP, confidential data must be securely stored, removed from common areas, properly marked as confidential data, protected with strong encryption if being transmitted, and destroyed by means that make recovery impossible. Employees who are given access to confidential data are required to immediately notify their supervisor if they suspect any misuse or unauthorized disclosure of confidential information. The Company’s NIDSP Guidelines and policies apply not only to the Company’s employees and consultants but also to any third parties that access or utilize the Company’s information and systems. Such third parties may include the Company’s service providers, customers, suppliers, contractors, consultants, and any other individuals the Company conducts business with. The IT infrastructure that the Company has developed in accordance with the NIDSP Guidelines is designed to monitor both internal and external cybersecurity risks. The NIDSP Guidelines equip the Company with the tools and systems necessary to recognize, address, and protect against risks associated with its third-party interactions. Cybersecurity Governance The Company’s IT Manager and executive team is responsible for the day-to-day management of cybersecurity risks, while the Company’s Board of Directors has responsibility for oversight of risk management. As part of the Company’s framework for cybersecurity risk oversight and governance, the Company’s network, information, and data-security policies set forth in the NIDSP Guidelines are enforced by the Company’s IT Manager and/or its executive team. The IT Manager is an employee designated by the Company to manage the Company’s security policies and program. The IT Manager is tasked with ensuring that the Company maintains compliance with the Company’s security policies and any applicable security regulations. The IT Manager is responsible for: (i) implementing the Company’s security policies; (ii) disseminating the Company’s security policies to all employees; (iii) establishing a training program for all employees and users covered by the Company’s IT security policy to notify them of the Company’s security policies, train and re-train them to comply with the Company’s IT security program, and educate them on the importance of data security; (iv) performing any ongoing testing or analysis of the Company’s security infrastructure, policies, and procedures; and (v) updating the NSP and any other policies and guidelines as needed to comply with applicable regulations and to stay up to date with the changing IT security landscape. The IT Manager works closely with the Company’s management and executive team to determine the Company’s IT-related needs, to evaluate the sufficiency of the Company’s data-governance policies and practices, to keep the Company’s management informed of notable cybersecurity-related updates, to review its security-related policies, and to identify ways to strengthen the systems and procedures implemented by the Company to detect, assess, and manage data risks. In the event of the detection of an actual or suspected cybersecurity incident, the Company’s IT Team, lead by the IT Manager, assesses the incident as “minimal”, “low”, “moderate” or “high”. Incidents assessed at a minimal or low risk are reported to Company’s management and the Executive Chairman of the Board and the Executive Chairman of the Board may share this information with the Board. Incidents assessed at a moderate or high risk are reported to Company’s management, the Executive Chairman of the Board, and the Company’s Board of Directors. Notwithstanding the Company’s cybersecurity-related policies, procedures, and governance framework, the ever-present threat of a cyber-attack, data breach, or other security incident is pervasive. The increasingly sophisticated nature of the tactics used to circumvent IT security safeguards makes cybersecurity threats increasingly difficult to detect and respond to. While the Company does not believe its business strategy, results of operations, or financial condition have been materially adversely affected by any cybersecurity threats or incidents, there is no assurance that the Company will not be materially affected by such threats or incidents in the future. Accordingly, the Company will continue to monitor cybersecurity risks and strive to invest in and strengthen its cybersecurity infrastructure.
ITEM 1C. CYBERSECURITY The Company recognizes the importance of securing its information, devices, and data and the IT systems it relies on to conduct its business. The Company has established its Network, Information, and Data Security Policy Guidelines (the “NIDSP Guidelines”) designed to protect the integrity and confidentiality of data and information belonging to or being exchanged by the Company and its employees, partners, customers, service providers, and suppliers and to safeguard that information and the Company’s IT infrastructure from unauthorized access, use, disclosure, alteration, and destruction. Risk Management and Strategy The protections, procedures, and controls set forth in the NIDSP Guidelines demonstrate the Company’s attention to and prioritization of cybersecurity as a component of its overall strategy and system for managing risks. The NIDSP Guidelines include five policies described below, that together define the Company’s strategy and practices for managing cybersecurity threats and mitigating cybersecurity risks. ● Physical Security Policy (the " PSP " ). The PSP establishes guidelines related to selecting IT operation sites, designating security zones, using, inspecting, and storing IT Assets, designing restricted-access and security controls, and monitoring compliance with safety and security standards. The goal of the PSP is to minimize risks of damage, destruction, unauthorized access, inadvertent disclosure, misuse, loss, or theft of the Company’s IT Assets. In accordance with the PSP, the Company: (i) evaluates IT operation sites based on their susceptibility to natural disasters, crime and theft, and unauthorized access; (ii) requires the use of keycards or biometrics in order to enforce security zones and give users the least amount of access required to do their jobs; (iii) requires systems and devices that store confidential data to be maintained and protected in accordance with the Company’s Confidential Data Policy; and (iv) requires visitors at the Company’s office to complete a sign-in log, wear a visitor badge, and be escorted by a designated employee at all times. ● Network Security Policy (the " NSP " ). The NSP aims to protect the integrity of the Company’s data by securing the systems and devices that make up the Company’s network infrastructure. Pursuant to the NSP, the Company: (i) enforces strict password-construction criteria for network devices; (ii) requires employees to verify their identities using multi-factor authentication to access internal resources; (iii) maintains and reviews logs from application services, network devices, and critical devices and requires the retention of logs in accordance with the Company’s Retention Policy; (iv) implements and configures firewall technology to filter both inbound and outbound network connections; (v) authorizes the IT Manager to determine the extent and scope of external security testing to be performed; (vi) establishes a software-use policy; and (vii) requires antivirus and anti-malware software to be used and timely patched and updated on any Company-provided devices. ● Backup Policy. The Company’s Backup Policy applies to all data stored on Company systems. The Backup Policy specifies the types of data and information considered to be critical to the Company’s operations and thus required to be backed up, establishes a backup schedule that is necessary for successful data recovery, and implements procedures for the off-site rotation, storage, and retention of backups. The Backup Policy also establishes the Company’s data-restoration procedures and mandates the periodic testing of those procedures. ● Remote Access Policy (the " RAP " ). The RAP defines the Company’s standards for accessing IT resources from outside the Company’s network, such as when an employee is working remotely. Pursuant to the RAP, remote access is only permitted if accomplished through secure, Company-provided means. The Company’s uses remote-access software designed to guard against unauthorized access using traffic encryption during transmission and firewall protections. ● Confidential Data Policy (the " CDP " ). The CDP governs the handling, storage, transmission, destruction, and protection of confidential data. Pursuant to the CDP, confidential data must be securely stored, removed from common areas, properly marked as confidential data, protected with strong encryption if being transmitted, and destroyed by means that make recovery impossible. Employees who are given access to confidential data are required to immediately notify their supervisor if they suspect any misuse or unauthorized disclosure of confidential information. The Company’s NIDSP Guidelines and policies apply not only to the Company’s employees and consultants but also to any third parties that access or utilize the Company’s information and systems. Such third parties may include the Company’s service providers, customers, suppliers, contractors, consultants, and any other individuals the Company conducts business with. The IT infrastructure that the Company has developed in accordance with the NIDSP Guidelines is designed to monitor both internal and external cybersecurity risks. The NIDSP Guidelines equip the Company with the tools and systems necessary to recognize, address, and protect against risks associated with its third-party interactions. Cybersecurity Governance The Company’s IT Manager and executive team is responsible for the day-to-day management of cybersecurity risks, while the Company’s Board of Directors has responsibility for oversight of risk management. As part of the Company’s framework for cybersecurity risk oversight and governance, the Company’s network, information, and data-security policies set forth in the NIDSP Guidelines are enforced by the Company’s IT Manager and/or its executive team. The IT Manager is an employee designated by the Company to manage the Company’s security policies and program. The IT Manager is tasked with ensuring that the Company maintains compliance with the Company’s security policies and any applicable security regulations. The IT Manager is responsible for: (i) implementing the Company’s security policies; (ii) disseminating the Company’s security policies to all employees; (iii) establishing a training program for all employees and users covered by the Company’s IT security policy to notify them of the Company’s security policies, train and re-train them to comply with the Company’s IT security program, and educate them on the importance of data security; (iv) performing any ongoing testing or analysis of the Company’s security infrastructure, policies, and procedures; and (v) updating the NSP and any other policies and guidelines as needed to comply with applicable regulations and to stay up to date with the changing IT security landscape. The IT Manager works closely with the Company’s management and executive team to determine the Company’s IT-related needs, to evaluate the sufficiency of the Company’s data-governance policies and practices, to keep the Company’s management informed of notable cybersecurity-related updates, to review its security-related policies, and to identify ways to strengthen the systems and procedures implemented by the Company to detect, assess, and manage data risks. In the event of the detection of an actual or suspected cybersecurity incident, the Company’s IT Team, lead by the IT Manager, assesses the incident as “minimal”, “low”, “moderate” or “high”. Incidents assessed at a minimal or low risk are reported to Company’s management and the Executive Chairman of the Board and the Executive Chairman of the Board may share this information with the Board. Incidents assessed at a moderate or high risk are reported to Company’s management, the Executive Chairman of the Board, and the Company’s Board of Directors. Notwithstanding the Company’s cybersecurity-related policies, procedures, and governance framework, the ever-present threat of a cyber-attack, data breach, or other security incident is pervasive. The increasingly sophisticated nature of the tactics used to circumvent IT security safeguards makes cybersecurity threats increasingly difficult to detect and respond to. While the Company does not believe its business strategy, results of operations, or financial condition have been materially adversely affected by any cybersecurity threats or incidents, there is no assurance that the Company will not be materially affected by such threats or incidents in the future. Accordingly, the Company will continue to monitor cybersecurity risks and strive to invest in and strengthen its cybersecurity infrastructure.
Company Information
Name | AMERICAN SHARED HOSPITAL SERVICES |
CIK | 0000744825 |
SIC Description | Services-Medical Laboratories |
Ticker | AMS - NYSE |
Website | |
Category | Non-accelerated filer Smaller reporting company |
Fiscal Year End | December 30 |