AYTU BIOPHARMA, INC 10-K Cybersecurity GRC - 2024-09-26

Page last updated on September 26, 2024

AYTU BIOPHARMA, INC reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-09-26 16:05:37 EDT.

Filings

10-K filed on 2024-09-26

AYTU BIOPHARMA, INC filed a 10-K at 2024-09-26 16:05:37 EDT
Accession Number: 0001437749-24-030062

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBERSECURITY Cybersecurity Risks We rely on internal and third-party information technology systems and networks to process, transmit and store electronic information in our operations, including our proprietary business information and that of our customers, suppliers and employees. We use various internal and third-party information technology systems and networks to manage our operations and maintain effective internal control over financial reporting. We also collect and store sensitive data, including intellectual property, proprietary business information and personal information of our customers, suppliers and employees, in our data centers and on our networks. The secure operation of these information technology systems and networks, and the processing and maintenance of this information, are critical to our business operations and strategy. Despite our security measures, our internal and third-party information technology systems and networks may be subject to damage, disruption, or unauthorized access due to a variety of factors, including cyber-attacks by computer hackers, computer viruses, ransomware, phishing, denial-of-service attacks, physical or electronic break-ins, employee error or malfeasance, power outages, natural disasters, or other catastrophic events. Any such damage, disruption, or unauthorized access could compromise our internal and third-party networks and the information stored there could be accessed, publicly disclosed, lost, or stolen. Any such access, disclosure, or other loss of information could result in legal claims or proceedings, liability under laws that protect the privacy of personal information, regulatory penalties, disruption to our operations, damage to our reputation, loss of customers, potential harm to our competitive position and additional costs to remediate the issue. Cybersecurity Practices We have implemented various measures to manage our risk of information technology systems and networks damage, disruption, or unauthorized access, including regular employee training, monitoring of our systems and networks, maintenance of backup and protective systems and use of modern endpoint detection and response tools, which are integrated into Aytu’s risk management systems and processes. We have implemented multi-factor authentication (“MFA”) across many of our systems and email accounts to prevent unauthorized access and impersonation. We also utilize a cloud-based environment for a large portion of our operations, which enhances our scalability, flexibility and resilience and utilize third parties to perform early external vulnerability assessment and risk identification. We have established extensive backup and recovery procedures to ensure the continuity of our operations in a cyber incident. We also maintain cyber liability insurance coverage as part of our comprehensive risk management program. However, these measures may not be sufficient to prevent, detect, or mitigate the impact of such damage, disruption, or unauthorized access. Moreover, the regulatory environment related to information security, data protection and privacy is increasingly demanding and complex, and compliance with applicable laws and regulations may result in significant costs or require changes in our business practices that could adversely affect our operations. Cybersecurity Governance Our Board of Directors is actively involved in overseeing our cybersecurity risk management. Our Board of Directors delegates certain oversight functions to our Audit Committee, which reviews our cybersecurity policies, procedures, controls and audit results. Our Audit Committee receives quarterly updates on our cybersecurity posture, threats and incidents from Aytu’s management. Our Board of Directors and our Audit Committee regularly assess the adequacy of our cybersecurity risk management framework and the effectiveness of our mitigation strategies. Our cybersecurity operations are led by our Chief Financial Officer. He is responsible for overseeing the development and implementation of our cybersecurity strategy, policies, standards and practices. He also oversees our cybersecurity team, which includes a staff member who has over 20 years of experience in the field. Our cybersecurity team monitors, detects, responds and reports on cybersecurity threats and incidents, and coordinates with our internal and external stakeholders to ensure the security of our information assets. Aytu adheres to the National Institute of Standards and Technology (“NIST”) Cybersecurity Framework 2.0, which provides a set of standards, guidelines and best practices to manage cybersecurity-related risks. We have developed and documented our systems disaster recovery plan, which outlines the roles, responsibilities and procedures for restoring our critical systems and data in the event of a cyber incident. We have also crafted internal policies to help maintain a secure environment, such as our information security policy, our data classification policy, our incident response policy and our password policy. We regularly conduct phishing simulations, vulnerability scans and audits to test the effectiveness of our controls and backups, and to identify and remediate any gaps or weaknesses in our cybersecurity posture. Cybersecurity Incidents Despite our efforts to prevent and mitigate cybersecurity incidents, we cannot guarantee that we, or third-party providers that we rely on, will not experience any breaches, disruptions, or unauthorized access to our information technology systems and networks. During fiscal 2024, we did not experience any cybersecurity incidents that materially affected or are reasonably likely to materially affect us, including our business strategy, results of operations or financial condition, however, there can be no assurance that the measures we have taken to address IT and cybersecurity risks will prove effective in the future. For additional discussion of the IT and cybersecurity risks facing our business, please refer to Part 1, Item 1A, Risk Factors of this Annual Report. We prioritize investment in cybersecurity risk management and governance. We continually assess the adequacy of our resources and capabilities to address emerging threats, regulatory requirements and changes in technology. As cybersecurity threats evolve, we may need to further enhance our processes and technologies, which could require additional financial resources.

Company Information