OPGEN INC 10-K Cybersecurity GRC - 2024-06-03

Page last updated on July 16, 2024

OPGEN INC reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-06-03 16:59:09 EDT.

Filings

10-K filed on 2024-06-03

OPGEN INC filed a 10-K at 2024-06-03 16:59:09 EDT
Accession Number: 0001829126-24-003930

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity Risk Management and Strategy Following the March 2024 Private Placement, our focus has been on the identification of a privately held company to complete a reverse merger or similar strategic transaction. While we continue to maintain minimal distribution, marketing, and sales support, we have scaled down operations to the core functions of a U.S. Nasdaq listed company to conserve cash and focus on the functions needed to pursue potential strategic alternatives. We have implemented risk management processes to manage the risks associated with reliance on vendors, critical service providers, and other third-parties that may lead to a service disruption or an adverse cybersecurity incident. This includes an assessment of vendors during the selection/onboarding process and a review of SOC 1 reports on an annual basis. In addition, we maintain policies over areas such as information security, access on/offboarding, and access and account management, to help govern the processes put in place by management designed to protect our IT assets, data, and services from threats and vulnerabilities. We partner with industry recognized IT providers leveraging third-party technology and expertise. These third-party service providers are a key part of our current cybersecurity risk management and provide services including, maintenance of an IT assets inventory, periodic vulnerability scanning, identity access management controls including restricted access of privileged accounts, network integrity safeguarded by employing web-based software, including endpoint protection, endpoint detection and response, and remote monitoring management on all devices, industry-standard encryption protocols and critical data backups. Our outsourced information technology consultant conducts proactive patching and monitoring of all of our existing systems and has implemented systems and procedures to mitigate cybersecurity risks that we believe are appropriate for a company of our size, stage of growth and financial condition. In addition, we carry insurance with coverage for cyber events that we believe is suitable for a company of our size, stage of growth and financial condition. Governance Management is responsible for the day-to-day management of the risks we face, while our Board of Directors and Audit Committee has responsibility for the oversight of risk management, including risks from cybersecurity threats. In its risk oversight role, our Board of Directors has the responsibility to satisfy itself that the risk management processes designed and implemented by management are appropriate and functioning as designed. The Board of Directors has delegated to the Audit Committee of the Board of Directors the responsibility for the oversight of information technology, including cybersecurity risks. Member(s) of management assigned with cybersecurity oversight responsibility and/or third-party consultants providing cyber risk services brief the Audit Committee on cyber vulnerabilities identified through the risk management process, emerging threat landscape and new cyber risks, and provide updates on our processes to prevent, detect, and mitigate cybersecurity incidents. We face risks from cybersecurity threats that could have a material adverse effect on its business, financial condition, results of operations, cash flows or reputation. We acknowledge that the risk of cyber incident is prevalent in the current threat landscape and that a future cyber incident may occur in the normal course of its business. We proactively seek to detect and investigate unauthorized attempts and attacks against our IT assets, data, and services, and to prevent their occurrence and recurrence where practicable through changes or updates to internal processes and tools and changes or updates to service delivery; however, potential vulnerabilities to known or unknown threats will remain. As of the date of this Annual Report, we are not aware of any cybersecurity threats, and have not experienced any cybersecurity incidents, that have materially affected us, including our business strategy, results of operations or financial condition. For additional information concerning risks related to cybersecurity, see Item 1A. Risk Factors: Security breaches, loss of data and other disruptions could compromise sensitive information related to our business or prevent us from accessing critical information and expose us to liability, which could adversely affect our business and our reputation. 9

Company Information