Genasys Inc. 10-K Cybersecurity GRC - 2024-12-13

Page last updated on December 13, 2024

Genasys Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-12-13 15:36:12 EST.

Filings

10-K filed on 2024-12-13

Genasys Inc. filed a 10-K at 2024-12-13 15:36:12 EST
Accession Number: 0000950170-24-136163

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity Cybersecurity Risk Management and Strategy At Genasys, cybersecurity risk management is integrated into our overall risk management program through regular internal risk assessments and continuous monitoring. Under the leadership of the Information Technology (“IT”) Director, IT developed, implemented, and maintain a broad range of processes and protocols designed to monitor, identify, mitigate, and prevent material risks associated with cybersecurity threats and incidents relevant to internal networks, business applications, customer-facing applications, customer payment systems, and business operations. Our protocols include a third-party provided 24/7 Security Operations Center (SOC), which is designed to oversee our Endpoint Detection and Response (EDR) system and a robust Security Information and Event Management (SIEM) system that aggregates logs for real-time threat detection. Our cybersecurity risk management program applies information and direction from industry-recognized cybersecurity frameworks, including the National Institute of Standards and Technology (NIST) Cybersecurity Framework 2.0 (CSF), specifically the NIST 800-171, the Department of Defense Cybersecurity Maturity Model Certification (CMMC) Level 2, Sarbanes Oxley (SOX), and Services Organization Controls (SOC) 2. Third-party risk is managed through vendor assessments and SOC 2 report requests, designed to ensure that our partners adhere to strict cybersecurity standards. Notwithstanding the foregoing, we have not identified and are not aware of any risks from cybersecurity threats, including as a result of any prior cybersecurity incidents, which have materially affected or are reasonably likely to materially affect us, including our operations, business strategy, results of operations, or financial condition. Despite our security measures, however, there can be no assurance that we, or third parties with which we interact, will not experience a cybersecurity incident in the future that will materially affect us. See “Risk Factors - Actual or perceived failures or breaches of our information and security systems, or those of our customers, suppliers or business partners, could expose us to losses.” Cybersecurity Governance Board Oversight Our Board of Directors considers cybersecurity risk as critical to the enterprise and includes it as part of the full Board’s oversight function. The full Board is updated on cybersecurity risks and compliance with relevant standards and regulations as part of its overall governance responsibilities, including quarterly Board meeting reports. Our Director of IT, who is responsible for the oversight and implementation of the cybersecurity program, also periodically makes presentations to Board members on cybersecurity topics as part of the Board ’ s continuing education on topics that impact our company. Additionally, we have an escalation process to inform the Board of high-severity cybersecurity incidents that may occur. Our Board also periodically engages independent third-party technology experts to test our information technology systems, including cybersecurity. Management Role The Director of IT leads the day-to-day management of cybersecurity at Genasys, supported by a team of three IT professionals with a combined 45 years of IT and cybersecurity experience. This team handles ongoing risk assessments, manages threat detection through our SOC and Security Information and Event Management (SIEM), ensures compliance with industry regulations, and informs executive management about ongoing efforts to prevent, detect, mitigate, and remediate cybersecurity risks and incidents through various means. This may include briefings from internal security personnel; sharing publicly or privately available threat intelligence and other information obtained from governmental, public or private sources, including external consultants engaged by us; and forwarding alerts and reports produced by network monitoring and security tools we deploy. Management also ensures that employees and contractors undergo quarterly cybersecurity training and phishing simulations via KnowBe4, as part of a comprehensive awareness program.

Company Information