Simulations Plus, Inc. 10-K Cybersecurity GRC - 2024-10-30

Page last updated on October 30, 2024

Simulations Plus, Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-10-30 16:26:15 EDT.

Filings

10-K filed on 2024-10-30

Simulations Plus, Inc. filed a 10-K at 2024-10-30 16:26:15 EDT
Accession Number: 0001023459-24-000136

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C - CYBERSECURITY We are committed to safeguarding our stakeholders’ sensitive information shared in the application of software and services provided by the Company. We believe that our cybersecurity program, risk management and governance reflect our commitment to our stakeholders. Risk Management and Strategy We recognize that cybersecurity risks pose a significant threat to our business, customers, and stakeholders, and we have implemented a comprehensive cyber security program to address these risks. We embed security considerations into every aspect of our operations, and our focus encompasses a proactive approach that involves continuous monitoring to swiftly detect and respond to emerging threats to ensure that our stakeholders’ information remains secure in the face of evolving cybersecurity challenges. With a foundation grounded in industry best practices, including NIST 800-53, ISO 27001, CIS Top 20, and OWASP Top 10, we prioritize the identification and assessment of risks to create a protective shield around our customers’ data. This guides our processes for assessing, identifying, and managing risks related to cybersecurity threats and incidents, as well as ensuring compliance with legal and contractual obligations. Our risk management processes are integrated into our overall business strategy and operations. We use various methods and tools to identify and assess cybersecurity risks across all assets in our technical landscape, such as vulnerability scanning, penetration testing, threat intelligence, risk assessments, and audits from customers. We maintain robust cybersecurity incident response procedures, which includes escalating incidents to the appropriate level of management and Board of Directors, mitigation, remediation and the assessment of materiality of cybersecurity incidents, or a series of related incidents, that may materially affect or are reasonably likely to materially affect our business strategy, results of operations, or financial condition. Furthermore, we conduct annual cybersecurity awareness training for our employees in order to provide them with the knowledge necessary to navigate the digital landscape securely. We understand that cybersecurity is not a static concept but a dynamic discipline, and our security and privacy notice reflects this by incorporating internal audits, penetration testing, active vulnerability scanning and a continuous improvement mindset. As of the date of this Report, we are not aware of any cybersecurity incidents, or a series of related incidents, that have had or are reasonably likely to have a material impact on the Company’s results of operations or financial condition. For more information on our cybersecurity related risks, see Part 1, Item 1A. Risk Factors included elsewhere in this Report. Governance We have established a corporate governance structure that provides oversight and guidance for our cybersecurity program. Our Board of Directors (the “Board”) is ultimately responsible for the oversight of the Company’s security program. In the oversight of the program, the Board is focused on cybersecurity risk, including incident response planning, timely identification and assessment of incidents, incident recovery and business continuity considerations. We have engaged a third party consulting firm, VeraSafe, as our DPO. The DPO is responsible for ensuring that we have a Personal Data Protection program in place that is compliant with data privacy laws such as the EU GDPR, UK GDPR, China’s PIPL, and data privacy laws enacted at the state level, as applicable to us. Our corporate Personal Data Protection program includes policies, practices, and training directed to protecting personal data. We have defined roles and responsibilities for the management of cybersecurity risks, including specific executive-level and management-level positions or committees. Our security program is overseen by our VP of Information Technology, supported by corporate leadership from legal and finance. Our VP of Information Technology and the support team is accountable for the program. Our function and business unit executive leadership, acting in support of the VP of Information Technology and the Board, is responsible for ensuring organizational compliance with data protection regulations and controls across the organization. Our VP of Information Technology and Data Privacy Officer, are responsible for the design, implementation, and monitoring of the security and privacy policies, standards, procedures, and controls that govern our information systems and data processing activities. Our VP of Information Technology and support team also have a reporting responsibility to the executive leadership and the Board. They coordinate the response and remediation of cybersecurity incidents and data breaches and report on the status and effectiveness of the security and privacy program to the Board and other stakeholders on an as needed basis. The Board receives regular reports from management on our cybersecurity program, risks and activity. We have established processes to ensure that management is informed about and monitors cybersecurity incident prevention, detection, mitigation, and remediation. These processes include regular reporting, escalation, and communication protocols, as well as periodic reviews and audits of the security and privacy program.

Company Information