ACCURAY INC 10-K Cybersecurity GRC - 2024-09-19

Page last updated on September 19, 2024

ACCURAY INC reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-09-19 16:25:23 EDT.

Filings

10-K filed on 2024-09-19

ACCURAY INC filed a 10-K at 2024-09-19 16:25:23 EDT
Accession Number: 0000950170-24-108118

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. CYBERSECURITY Risk Management and Strategy We recognize the importance of cybersecurity in safeguarding sensitive information, maintaining operational integrity, and working to ensure the safety and efficacy of our products. We evaluate and monitor cybersecurity risk as part of our overall enterprise risk management program, which considers cybersecurity risks alongside other company risks as part of our overall risk assessment process. In addition, the risk oversight responsibility of our Board of Directors and its committees is supported by our cybersecurity risk assessment program, which include policies and processes that are designed to provide visibility and information about the identification, assessment, and management of critical risks and management’s risk mitigation strategies, to our Board of Directors and personnel that are responsible for risk assessment. These policies also govern the security of our products and the protection of customer and patient data, provide for vulnerability remediation, regular system updates and patches, employee training on cybersecurity and HIPAA best practices, incident reporting, and the use of encryption to secure sensitive information. To identify, assess, and manage material cybersecurity risks, our team uses a cybersecurity risk assessment process aligned with leading frameworks such as the National Institute of Standards and Technology’s Cyber Security Framework and HIPAA. Our cybersecurity risk assessment program provides the underlying basis for the activities of our team to identify and mitigate risks from, as well as develop risk management and response strategies for, evolving and emerging cybersecurity threats. Our cybersecurity program includes a variety of processes to assess, identify and manage risks from cybersecurity threats arising from our own and third-party provided systems, including annual training requirements, simulation exercises, threat monitoring and detection tools (including those using artificial intelligence and machine learning), threat containment methods, risk assessments, third-party penetration testing and security requirements for our suppliers and other third parties. We have established processes providing for review of identified cybersecurity incidents by a cross-functional cybersecurity incident response team who monitors and manages the detection, assessment, mitigation and remediation of cybersecurity incidents and escalates incidents to the Chief Information and Security Officer and to our disclosure review board, which evaluates such incidents for materiality and potential disclosure, and works to ensure that members of management responsible for overseeing the operation of our disclosure controls and procedures are informed of such cybersecurity risks and incidents. Our cybersecurity incident response team and disclosure review board are comprised of subject matter experts, including employees in cybersecurity, information technology and other areas to evaluate potential security, financial, operational, reputational and other risks, and to address our process. We also engage third parties to enhance and strengthen our cybersecurity program, to provide additional capabilities and support and to provide periodic independent assessments and evaluations of our cybersecurity program. Third parties also provide managed services for security operations, incident response, and security remediation services. We monitor and periodically enhance our cybersecurity program, processes, techniques and procedures to combat evolving and adaptive cybersecurity threats. To this end, we engage in the periodic assessment of our policies, standards, processes, and practices that are designed to address cybersecurity threats and incidents, internally and through assessments by external providers. The results of such assessments, audits, and reviews are reported to the Audit Committee and the Board of Directors, and we adjust our cybersecurity policies, standards, processes, and practices as necessary based on the information provided by these assessments, audits, and reviews. We also monitor and test our safeguards and train all our employees on cybersecurity safeguards related to our information technology systems. Personnel at all levels and departments are made aware of our cybersecurity policies through periodic cybersecurity trainings and tests. Further, we are focused on building and maintaining a positive cybersecurity culture through a combination of trainings, educational tools, videos, and other cybersecurity awareness initiatives. Our security training incorporates awareness of cyber threats (including malware, ransomware, and social engineering attacks), password hygiene, the importance of multifactor authentication and our incident reporting process. In addition to the assessment of internal cybersecurity risks, we have implemented processes to oversee, identify and monitor material risks from cybersecurity threats relating to potential compromises of sensitive information at our third-party business partners where relevant and we reevaluate these risks periodically. These processes include vetting of certain service providers for security, reliability, and availability; execution of a Business Associate Agreement with relevant providers for compliant management, storage, or processing of PHI if necessary; and confirmation by each service provider that its SOC-2 reports, or equivalent reports, are current and available, where applicable. In the event a service provider does not have a current and available SOC-2 or equivalent report, we review of the service provider’s cybersecurity risk management and advise relevant business stakeholders of any significant identified risks. While we regularly experience cybersecurity incidents, and we expect to continue to be subject to such incidents, as of the date of this report, we are not aware of any cybersecurity incidents that have had or are reasonably likely to have a material impact on our business or operations. However, we are subject to ongoing risks from cybersecurity threats that could materially affect us, including our business strategy, results of operations, or financial condition, as further described in Item 1A. Risk Factors in the risk factor entitled “Disruption of critical information technology systems, infrastructure and data or cyberattacks or other security breaches or incidents could harm our business and financial condition.” Governance Our Board of Directors, both directly and through the delegation of responsibilities to the Audit Committee, oversees the proper functioning of our cybersecurity risk management program and ensures strategic alignment and governance of our cybersecurity efforts at the highest level. Our Board of Directors receives periodic briefings on the outcome of our cybersecurity risk management program, including steps that we are taking to mitigate risks that the program identifies, and each quarter, the Audit Committee reviews cybersecurity incidents, metrics and the state of the program. Our cybersecurity risk management program is principally managed by our Global Information Systems team, which is led by our Chief Information and Security Officer, who reports directly to our Chief Executive Officer, as well as our deputy Chief Information Security Officer (deputy CISO). Our Chief Information and Security Officer and deputy CISO combined have more than 40 years of experience in cybersecurity and/or information technology risk management, have relevant certification, and are active in a variety of cybersecurity related boards and organizations. Our Chief Information and Security Officer also serves as the officer who reports directly to senior management and makes regular reports to the Audit Committee and Board of Directors as described in this Item 1C. Under the direction of our Chief Information and Security Officer and deputy CISO, we monitor developments that could affect our long-term organizational cybersecurity strategy based on threats globally and to enhance our cybersecurity program as needed in response to such developments.
Item 1C. Under the direction of our Chief Information and Security Officer and deputy CISO, we monitor developments that could affect our long-term organizational cybersecurity strategy based on threats globally and to enhance our cybersecurity program as needed in response to such developments.

Company Information