KNOW LABS, INC. 10-K Cybersecurity GRC - 2024-11-14

Page last updated on November 14, 2024

KNOW LABS, INC. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-11-14 17:12:44 EST.

Filings

10-K filed on 2024-11-14

KNOW LABS, INC. filed a 10-K at 2024-11-14 17:12:44 EST
Accession Number: 0001654954-24-014480

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBERSECURITY Our cybersecurity and risk management program is intended to protect the confidentiality, integrity, and availability of our critical information systems and the data resident on them. Due to the nature of our business and our customers, we face cybersecurity challenges and threats, including attempts to gain unauthorized access to our intellectual property, trade secrets, codebase, proprietary or confidential information, denial-of-service attacks, attacks from foreign nations, as well as threats to our identity and personnel. We have designed our IT systems and processes with the intention that our solutions should defend against the ever-evolving threat landscape while remaining agile to keep up with such threats. We leverage a combination of cyber security frameworks to protect its assets. We use the controls from these frameworks as well as guidelines and best practices from the industry to develop our cybersecurity plan. Our cybersecurity plan and its elements are reviewed regularly to ensure they meet the requirements and expectations of our security needs. We have an information security policy in place, which includes monthly meetings with outside cybersecurity experts to review and maintain the procedures up to current standards. Our cybersecurity program is spearheaded by its software department, with support from external advisors and approval from executive management. The stakeholders have been identified and know their roles within the cyber security process as well as having all roles be documented. The Audit Committee of the Board of Directors performs an annual review of our cybersecurity program, including management’s actions to identify and detect threats. The Board receives periodic reports and annual updates on our crisis management plan which includes cybersecurity. Both the Chief Science Officer and the Chief Financial Officer share responsibility for our program and solicit support of third party experts as necessary. Risk is assessed based on multiple factors. First, our IT and administrative team updates and maintains our asset inventory to ensure all assets are included in our risk management process. From there, key assets are identified, and risk is assessed based on business impact, availability of information, and attack feasibility. After the risks have been identified, they are reviewed with the stakeholders for action plans or sign-off on the acceptance of risk. We leverage third party applications and software to help identify vulnerabilities within our system’s boundaries. These vulnerability lists are used to create remediation plans and are prioritized based on severity and attack feasibility. An incident response plan has been established which provides detailed information on actions to take in the event of an incident. The incident response plan includes the scope of the plan, establishes the incident response team, details the incident response lifecycle, and provides templates to make the process easier to document and follow. Timelines, communication methods, and notification information are included in the plan to ensure the process can be followed in high pressure situations which can occur during incidents. Sensitive and confidential data is a part of business. We leverage an encryption and signing policy that identifies the type of information we store and what level of encryption and signing is required for the data. This document also details the overarching requirements for encryption such as allowed cyphers, encryption methods, and key storage. We have had one cybersecurity incident in the last decade. A company-issued computer was reported stolen from an employee’s residence. This incident represented a potential cybersecurity threat, as the device contained sensitive company information, including access credentials, confidential data, and proprietary software. The threat was quickly identified and isolated before significant damage could be done. This incident did not affect business operations and did not have a financial impact on our company. Our cybersecurity experts promptly locked the device, changed all relevant passwords and access credentials, initiated a remote wipe, and notified relevant teams and law enforcement, everything according to its info security plan. No proprietary information was lost.

Company Information