FOXO TECHNOLOGIES INC. 10-K Cybersecurity GRC - 2024-06-06

Page last updated on July 16, 2024

FOXO TECHNOLOGIES INC. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-06-06 16:15:25 EDT.

Filings

10-K filed on 2024-06-06

FOXO TECHNOLOGIES INC. filed a 10-K at 2024-06-06 16:15:25 EDT
Accession Number: 0001213900-24-050377

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity. Privacy and Security We are entrusted with highly personal data and are committed to protecting the privacy and security of our customers and organization. Protection and access to company data is the keystone of the cybersecurity strategy and is considered the utmost of business requirements. We use the GDPR as our guidepost for data protection practices and continue to monitor emerging U.S. laws. Our security program is built on the following key success factors: tightly controlled access management based on least-privilege authorization, layered defenses, continuous monitoring, vulnerability testing, rapid response, internal and supply chain risk management, strong executive support, and regular development of a security culture. Integration of our compliance command center tool enables continuous monitoring of policy and practices covering service organization control 2 (" SOC 2 “) compliance. 30 Protecting data privacy and security is an organizational-wide responsibility. We protect customer data with a variety of processes and monitoring tools, such as: ● Access control is tightly managed with single sign-on, multi-factor authentication, and sensitive data access limited by least-privilege authorization appropriate for job duties and reviewed quarterly. ● Internal Risk Assessments are performed quarterly to identify areas of risk to mitigate or eliminate to improve security. ● Supply chain risk is being evaluated in an ongoing manner with our comprehensive Third-Party Risk Management program. We use a variety of tools to monitor key Software as a Service provider’s security positions as well as regular Risk Assessment questionnaires and evaluations. ● Our internal security team is augmented with a 24/7 Security Operations Center with analysts available to respond to alerts and protect data based on continuous monitoring for indicators of compromise including elevation of privilege, suspicious access, and data exfiltration. ● Recognizing employees are heavily targeted for compromise, security prioritizes social engineering and phishing awareness with weekly organization-wide updates, quarterly and annual training. Additionally, we manage client systems with end-point protection tools and monitoring agents to prevent malware and ransomware attacks. Samples are uniquely identified with a code number only, and de-identified to minimize potential exposure during processing. ● All data is encrypted at rest and in transit with industry standards. ● Regular network and application penetration testing is performed to identify potential vulnerabilities. Security is an ongoing focus with continuous improvement to strengthen our security posture, strengthen data protection, eliminate gaps, and expand our security-as-a-culture. We are completing our control compliance development in preparation for our initial SOC 2 Type II audit. Having a SOC 2 Report will improve our ability to sell to large organizations and attest to our use of best practices for protecting sensitive data. SOC 2 compliant policies, procedures, and controls will make it easier to achieve other security certifications, further increasing customer confidence in our security. For purposes of this section: “Cybersecurity incident” means an unauthorized occurrence, or a series of related unauthorized occurrences, on or conducted through our information systems that jeopardizes the confidentiality, integrity, or availability of our information systems or any information residing therein. “Cybersecurity threat” means any potential unauthorized occurrence on or conducted through our information systems that may result in adverse effects on the confidentiality, integrity, or availability of our information systems or any information residing therein. “Information systems” means electronic information resources, owned or used by us, including physical or virtual infrastructure controlled by such information resources, or components thereof, organized for the collection, processing, maintenance, use, sharing, dissemination, or disposition of our information to maintain or support our operations. Risk Management and Strategy We monitor our websites and online accounts frequently to manage risks associated with cyber-security risks. Our website is monitored by a third party to check if the website or email server is secure. Our webmaster informs us of any issues that may arise in the cyber sector. We are prepared to inform all parties necessary if any breach of cyber-security were to happen. We have never had this problem and so we have never had to inform consultants, auditors, or other third parties. We have never had a breach of cyber-security at any point in our past. The risk to us of cybersecurity threats is in data storage of customer questions and emails. A breach of customers data could negatively materially affect our public trust and could result in loss of customers and revenue. 31 Governance Our board of directors has no specific processes for monitoring cybersecurity within the company. There is no subcommittee specifically for monitoring cybersecurity in the company. Our management monitors our websites and online accounts frequently to manage risks associated with cyber-security risks. Our management has more than 20 years of experience working in the technology industry, which enables it to identify cybersecurity risks associated with the Company. Our management communicates with our board on matters of cybersecurity but, has not had to inform them of any breaches thus far.

Company Information