BIO KEY INTERNATIONAL INC 10-K Cybersecurity GRC - 2024-06-05

Page last updated on July 16, 2024

BIO KEY INTERNATIONAL INC reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-06-05 17:27:22 EDT.

Filings

10-K filed on 2024-06-05

BIO KEY INTERNATIONAL INC filed a 10-K at 2024-06-05 17:27:22 EDT
Accession Number: 0001437749-24-019357

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBERSECURITY We take a defense-in-depth approach, leveraging multiple, layered security measures, to protect our data, our customers’ data, our infrastructure, and our employees. We embed data protection throughout our operations and information technology programs, relying on multiple and various controls to prevent and detect threats, with the goal of safeguarding our assets, data and personnel. We evaluate cybersecurity risks as part of our overall enterprise risk management. A steering committee of senior executives meets quarterly to evaluate any changes to the Company’s exposure to cybersecurity risks, discuss potential mitigation plans and provide updates on mitigation efforts already underway. Our cybersecurity team keeps up to date on the latest threats and risks through multiple channels and is also involved in evaluating risks associated with any new proposed service providers. We employ a Cybersecurity Engineer, reporting directly to our Chief Technology Officer, who manages our cybersecurity team that is comprised entirely of security professionals with industry recognized certifications. The cybersecurity team within BIO-key is responsible for assessing and managing risks and informing/gaining feedback from the cybersecurity steering committee. Additionally, our team of dedicated cybersecurity experts/professionals maintain a comprehensive set of cybersecurity policies and standards, including a security incident response framework. The framework is a set of coordinated procedures and tasks that our incident response team executes to ensure timely and accurate reporting and resolution of computer security incidents. The framework details who, how and when appropriate persons or committees, including the Board of Directors and Audit Committee are kept informed on the status of potential cybersecurity incidents. A summary of recent incidents is also presented by the Chief Law Officer (“CLO”) at each regular Audit Committee meeting. Our policies and standards were developed in collaboration with a wide range of disciplines, including information technology, cybersecurity, legal, compliance and business. Our cybersecurity strategy and policies are continually reassessed to ensure they attempt to identify and proactively address the constant changes in the global threats. Decision makers such as the CLO, executive team, and Audit Committee are regularly kept up to date on cybersecurity trends. Ongoing collaboration with stakeholders throughout the business also helps to build continued awareness and visibility of future needs. We engage external vendors to assess the cybersecurity program as needed. An independent third party will perform annual multi-stage penetration testing of our IT environment. Our cybersecurity program is governed by the Audit Committee of our Board. The Audit Committee of the Board and the full Board will each receive quarterly updates on cybersecurity risks identified through the enterprise risk management processes described above. Notwithstanding our processes to oversee and identify risk from cybersecurity threats, we may not be successful in preventing or mitigating a cybersecurity incident that could have a material adverse effect on us. We identify nation state-sponsored threat actors and the rise in sophistication and proliferation of ransomware campaigns as top reasonable material risks to the business. The theft, unauthorized use or publication of our intellectual property and/or confidential business or personal information (whether through a breach of our own systems or the breach of a system of a third party that provides services to us) could harm our competitive or negotiating positions, reduce the value of our investment in research and development and other strategic initiatives, compromise our patent enforcement strategies or outlook, damage our reputation or otherwise adversely affect our business. To date there have not been any risks that have materially affected our operations. See Item 1A. " RISK FACTORS " for a discussion of cybersecurity risks.

Company Information