Renalytix plc 10-K Cybersecurity GRC - 2024-09-30

Page last updated on October 1, 2024

Renalytix plc reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-09-30 14:48:17 EDT.

Filings

10-K filed on 2024-09-30

Renalytix plc filed a 10-K at 2024-09-30 14:48:17 EDT
Accession Number: 0000950170-24-110315

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity We rely on complex information technology systems and various software applications to operate our business. We have developed a comprehensive cybersecurity program as part of our ISO 27001 2022 certification designed to protect our systems and the confidentiality, integrity and availability of our data. We have implemented processes that are intended to assess, identify, manage and reduce cybersecurity risks. We maintain a global incident response plan and disaster recovery management plan, each designed to protect against, identify, evaluate, respond to and recover from an incident. These plans anticipate an array of potential scenarios and provide for the assembly of a cybersecurity incident response team in the event of a cyber incident. The incident response team is a cross-functional group that may be composed of both company personnel and external service providers, and which is tailored to a particular incident so that individuals with appropriate experience and expertise are available. We regularly conduct exercises to help ensure the plans’ effectiveness and our overall preparedness. We also have invested in tools and technologies to protect our and our patients’, customers’ and business partners’ data and information technology, and we regularly monitor our information technology systems and infrastructure to identify and assess cybersecurity risks. Identified issues are logged within the organization’s ticketing system, or managed by the change management policy. Automated monitoring and reporting mechanisms are in place wherever possible and appropriate. Vulnerability and penetration testing is performed by appropriately qualified internal personnel or hired specialist, in managed by the Supplier & Vendor Management Policy. We rely in part on third parties (including assessors, consultants, advisors and others) in connection with our processes for assessing, identifying, managing and reducing cyber risks. In addition, we have implemented a cybersecurity awareness program designed to educate and train our entire employee network on how to identify and report cybersecurity threats. We also provide specialized training for employees in specialized information technology roles. We take measures to regularly update and improve our cybersecurity program, including conducting independent program assessments, penetration testing and scanning of our systems for vulnerabilities. We are certified to ISO27001, 2022 and have satisfied the requirements for Information security, cybersecurity and privacy protection - Information security management systems (ISMS). Oversight of the ISMS is provided through the ISMS Board chaired by a qualified Chief Information Security Officer (CISO). With representation of the executive management team and board through the Chief Technology Officer, the ISMS collectively makes the primary strategic decision around information security and issues that may arise. All identified risks or incidents are addressed and evaluated by an Information Security Incident Response Team (ISIRT) who are responsible for notifying executive management, board and other internal or external stakeholders as deemed necessary. With respect to third-party service providers, our information security program includes conducting due diligence of relevant service providers’ information security programs prior to onboarding.

Company Information