ASTROTECH Corp 10-K Cybersecurity GRC - 2024-09-20

Page last updated on September 20, 2024

ASTROTECH Corp reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-09-20 08:45:50 EDT.

Filings

10-K filed on 2024-09-20

ASTROTECH Corp filed a 10-K at 2024-09-20 08:45:50 EDT
Accession Number: 0001437749-24-029650

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity Board of Directors Oversight Our board of directors, as a whole and through its committees, holds overall oversight responsibility for our risk management processes, including in relation to risks from cybersecurity threats. Our board of directors exercises its oversight function through the audit committee, which oversees the management of risk exposure across various areas, including cybersecurity risks, in accordance with its charter. The audit committee is comprised of board members with diverse expertise including risk management and technology, which we believe enables them to oversee cybersecurity risks. Management ’ s Role We have day-to-day administration and management of our cybersecurity program, under the direct supervision of our executive management, including our Chief Financial Officer (“CFO”). Our executive management is responsible for informing the audit committee on cybersecurity risks, provides the audit committee with risk briefings as needed, and performs at least annual reviews of cybersecurity risks and threats in order to assess and adjust our processes to prevent, detect, mitigate, and remediate any such risks and threats. We also work with external security service providers to support our security monitoring and threat detection capabilities and have implemented a process for such external providers to report relevant findings to executive management, where appropriate. Primary responsibility for assessing, monitoring and managing our cybersecurity risks rests with our information technology team overseen by the CFO. With nine years of experience at the Company, our CFO is familiar with our technology infrastructure and risk profile. Our information technology team tests our compliance with Center for Internet Security version 8 standards (“CIS”), remediates known cybersecurity risks, and leads our employee training program as such items relate to cybersecurity. Our CFO and information technology team are continually informed about the latest developments in cybersecurity, including potential threats and innovative risk management techniques. The CFO and information technology team implements and oversees processes for the regular monitoring of our information systems. This includes the deployment of advanced security measures and regular system audits to identify potential vulnerabilities. In the event of a cybersecurity incident, the CFO and information technology team are equipped with a well-defined incident response plan, which includes escalation to executive management and the audit committee, and relevant public disclosure, as appropriate. Cybersecurity Risk Management and Strategy Our cybersecurity program, which is informed by CIS, includes processes for identification, assessment, and management of cybersecurity risks. We conduct periodic risk assessments, including with support from external vendors, to assess our cyber program, identify potential areas of enhancement, and develop strategies for the mitigation of cyber risks. We also conduct regular security testing and have established a vulnerability detection process, supported by security testing, that is designed to address the treatment of identified security risks based on severity. Third-Party Risk We may periodically engage a range of external experts, including cybersecurity assessors, consultants, and auditors to evaluate and test our information systems. These partnerships enable us to leverage specialized knowledge and insights, ensuring our cybersecurity strategies and processes generally follow industry-recognized standards and frameworks, and are compliant with applicable laws. As part of our cybersecurity risk management program, we have a process to assess and review the cybersecurity practices of major third-party vendors and service providers that access, process, collect, share, create, store, transmit or destroy our information or have access to our systems, including through review of applicable certifications, and security reports, and contractual requirements, as appropriate. Before engagement, we conduct security assessments of critical third-party providers and maintain ongoing monitoring to ensure compliance with our cybersecurity standards. The monitoring includes regular assessments by our information technology team and executive management. This approach is designed to mitigate risks related to data breaches or other security incidents involving third-parties. Risks from Cybersecurity Threats We are informed about and monitor the prevention, detection, mitigation, and remediation of cybersecurity risks through various means, including by leveraging a managed security service provider and other third-party security software and technology services. In addition, we use various internal and external processes and technologies, including third-party security solutions, monitoring, and alerting tools and resources, designed to monitor, identify, and address risks from cybersecurity threats. We also have implemented processes and technologies for network monitoring and data loss prevention procedures. We have adopted an incident response plan to guide us in responding to cybersecurity incidents and maintain processes to inform and update executive management and the audit committee about security incidents that may pose a significant risk for our business, as applicable. We have not identified any cybersecurity incidents or threats that have materially affected us or are reasonably likely to materially affect us, including our business strategy, results of operations or financial condition; however, like other companies in our industry, we and our third-party vendors may, from time to time, experience threats and security incidents relating to our and our third-party vendors’ information systems. For more information about the cybersecurity risks we face, see “Increased cybersecurity requirements, vulnerabilities, threats, and more sophisticated and targeted computer crime could pose a risk to our systems, networks, products, services, and data” in “Risk Factors” in Part I, Item 1A of this Annual Report on Form 10-K.

Company Information