Beyond Air, Inc. 10-K Cybersecurity GRC - 2024-06-24

Page last updated on July 16, 2024

Beyond Air, Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-06-24 17:20:42 EDT.

Filings

10-K filed on 2024-06-24

Beyond Air, Inc. filed a 10-K at 2024-06-24 17:20:42 EDT
Accession Number: 0001493152-24-025000

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBERSECURITY We rely on sophisticated information technology systems and network infrastructure to operate and manage our business. We also maintain personally identifiable information (“PII”) about our employees, and given the nature of our business, we have access to protected health information (“PHI”). Our business therefore depends on the continuous, effective, reliable, and secure operation of our computer hardware, software, networks, Internet servers, and related infrastructure. To the extent that our hardware or software malfunctions or access to our data by internal personnel, suppliers or customers through the Internet is interrupted or compromised, our business could suffer. The integrity and protection of our customer, personnel, financial, research and development, and other confidential data is critical to our business, and our customers and employees have a high expectation that we will adequately protect their personal information. The regulatory environment governing information, security and privacy laws is increasingly demanding and continues to evolve and a number of states have adopted laws and regulations that may affect our privacy and data security practices regarding the use, disclosure and protection of PII. For example, the California Consumer Privacy Act (“the CCPA”), among other things, creates individual privacy rights and imposes increased obligations on companies handling PII. Although our computer and communications hardware are protected through physical and software safeguards, they are still vulnerable to system malfunction, computer viruses, malware and ransomware, and other cybersecurity threats such as phishing and social engineering attacks. These events could lead to the unauthorized access of our information technology systems and result in financial loss and the misappropriation or unauthorized disclosure of confidential information belonging to us, our employees, partners, customers, or suppliers. The techniques used by criminal elements to attack computer systems are sophisticated, change frequently and may originate from less regulated and remote areas of the world. As a result, we may not be able to address these techniques proactively or implement adequate preventative measures. If our information technology systems are compromised, we could be subject to fines, damages, litigation and enforcement actions, incur financial losses, suffer reputational damage, and lose trade secrets or other confidential information, each of which could significantly harm our business. Cybersecurity Program Given the importance of cybersecurity to our business, we maintain a robust cybersecurity program to support both the effectiveness of our systems and our preparedness for information security risks. This program includes a number of administrative, physical, and technical safeguards with regular evaluations of our cybersecurity program, including periodic internal and external audits, penetration tests, and incident response simulations. We also require cybersecurity training when onboarding new employees and contractors, as well as required cybersecurity awareness training for our employees and contractors/other workforce members. Our program leverages industry frameworks, including the National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF) to strengthen our program effectiveness and reduce cybersecurity risks. We use a risk-based approach with respect to our use and oversight of third-party service providers. We use a number of means to assess cyber risks related to our third-party service providers, including maintaining vendor questionnaires/conducting due diligence in connection with onboarding new vendors and engaging in periodic reviews thereafter as appropriate. Process for Assessing, Identifying and Managing Material Risks from Cybersecurity Threats In the event of a cybersecurity incident, we maintain a regularly tested incident response program. Pursuant to the program and its escalation protocols, designated personnel are responsible for assessing the severity of an incident and associated threat, and handling it in accordance with that severity level. We have relationships with a number of third-party service providers to assist with cybersecurity containment and remediation efforts. Governance Upon a notification of concerning factors which may be indicative that a notable cybersecurity incident has occurred, the Cyber Security Subcommittee (Cyber Security Subcommittee) consisting of General Counsel, Head of HR & Chief Technical Officer (CTO) meets to make an initial assessment. If the Cyber Security Subcommittee determines there is a reasonable likelihood a notable cybersecurity incident has occurred, then notice will promptly be given to certain members of the Company Executive Team including our Chief Executive Officer, Chief Operating Officer, Chief Commercial Officer & Chief Financial Officer. Our team leverages over 25 years of experience in various cyber security functions. Our CTO, and their team, are responsible for the day-to-day management of the cybersecurity program. 74 The CTO provides periodic briefings for our senior management team on cybersecurity matters, including the prevention, detection, mitigation, and remediation of cybersecurity incidents and cybersecurity threats. Board Oversight While the Board of Directors has overall responsibility for risk oversight, our Audit Committee oversees cybersecurity risk matters. The Audit Committee is responsible for reviewing, discussing with management, and overseeing the Company’s cybersecurity and privacy risk exposures and policies. On a quarterly basis, the CTO reports to the Audit Committee on information technology and cybersecurity matters, including key information technology risks. The CTO also apprises the Audit Committee and full Board of Cyber Security Incidents consistent with our incident response program, promptly. Cybersecurity Risks Our cybersecurity risk management processes are integrated into our overall Enterprise Risk Management (“ERM”) process. As part of our ERM process, department leaders identify, assess, and evaluate risks impacting our operations across the Company, including those risks related to cybersecurity. Department leaders are asked to consider the severity and likelihood of certain risk factors, drawing upon their company knowledge and past business experience. While we maintain a robust cybersecurity program, the techniques used to infiltrate information technology systems continue to evolve. Accordingly, we may not be able to timely detect threats or anticipate and implement adequate security measures. For additional information, see “Item 1A-Risk Factors.” To date, we have not experienced any material cybersecurity incidents or threats.

Company Information