Senmiao Technology Ltd 10-K Cybersecurity GRC - 2024-06-27

Page last updated on July 16, 2024

Senmiao Technology Ltd reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-06-27 13:51:02 EDT.

Filings

10-K filed on 2024-06-27

Senmiao Technology Ltd filed a 10-K at 2024-06-27 13:51:02 EDT
Accession Number: 0001213900-24-056536

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity Risks from Cybersecurity Threats The Company faces risks associated with cybersecurity threats in carrying out its business operations. For more details regarding the risks related to PRC’s cybersecurity regulation, see " Item 1A. Risk Factors-Compliance with China’s new Data Security Law, Measures on Cybersecurity Review, Personal Information Protection Law, regulations and guidelines relating to the multi-level protection scheme and any other future laws and regulations may entail significant expenses and could materially affect our business. “; and “I tem 1A. Risk Factors-Recent greater oversight by the CAC over data security, particularly for companies seeking to list on a foreign exchange, could adversely impact our business and our offering. " For the year ended March 31, 2024, the Company was not subject to material fines or penalties in connection with cybersecurity, and there were no material cybersecurity incidents arising from cybersecurity or personal data protection. Governance Our board of directors does not have a standing risk management committee, but rather administers this oversight function directly through our board of directors as a whole, as well as through various standing committees of our board of directors that address risks inherent in their respective areas of oversight. While our board of directors has a fiduciary duty to monitor and assess strategic risk exposure, our audit committee is responsible for overseeing our major financial risk exposures and the steps our management has taken to monitor and control these exposures, overseeing cybersecurity risks and assisting the board of directors in its oversight over enterprise risk management. The audit committee also approves or disapproves any related person transactions. Our nominating and corporate governance committee monitors the effectiveness of our corporate governance guidelines and manages risks associated with the independence of the board of directors. Our compensation and leadership development committee assesses and monitors whether any of our compensation policies and programs has the potential to encourage excessive risk-taking. Engagement of Third-Party Service Providers We have in place certain infrastructure, systems, policies, and procedures that are designed to proactively and reactively address circumstances that arise when unexpected events such as a cybersecurity incident occur. These include processes for assessing, identifying, and managing material risks from cybersecurity threats. Identifying, assessing, and managing cybersecurity risk is integrated into our overall risk management systems and processes, and we have in place cybersecurity and data privacy training and policies designed to (a) respond to new requirements in privacy laws and (b) prevent, detect, respond to, mitigate and recover from identified and significant cybersecurity threats. We have relied on the third-party security assessment procedures and data outflow control procedures to manage risks from cybersecurity threats associated with our use of third-party service providers. For example, the servers of the system of XXTX are housed at third-party data centers, and its operations depend on the service providers’ ability to protect such systems in their facilities as well as their own systems. The qualified third-party performs security assessment by timely assessing their cybersecurity policies, data encryption and privacy policies and relevant certificates, establishing procedures in granting such third parties access to our database and requiring them to conduct regular inspections. Since in cooperation with third-party service providers may involve data outbound, we desensitize sensitive information before transferring such data. 69 Our Chinese subsidiaries and affiliates have incurred, and will continue to incur, significant expenses in an effort to comply with cybersecurity and information security standards and protocols imposed by law, regulation, industry standards or contractual obligations to the date of this Report in all material respects.

Company Information