Quipt Home Medical Corp. 10-K Cybersecurity GRC - 2024-12-16

Page last updated on December 16, 2024

Quipt Home Medical Corp. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-12-16 17:11:40 EST.

Filings

10-K filed on 2024-12-16

Quipt Home Medical Corp. filed a 10-K at 2024-12-16 17:11:40 EST
Accession Number: 0001558370-24-016299

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity. Risk Management and Strategy The Company has adopted policies and implemented certain controls and procedures that allow its management to assess, identify and manage material risks from cybersecurity threats and for its Board of Directors, through its Audit Committee, to actively oversee the strategic direction, objectives, and effectiveness of the Company’s cybersecurity risk management framework. The Cybersecurity Program is developed and reviewed by the Company’s executive leadership alongside the Company’s Audit Committee and carried out and overseen by the senior person in charge of IT at the Company, currently our Chief Compliance Officer (“CCO”). The Company’s processes are integrated into its overall enterprise risk management program and compliments the Company’s enterprise-wide risk assessment architecture, as implemented by the Company’s management and as overseen by the Company’s Board of Directors through its Audit Committee. The Company seeks to address cybersecurity risks through a cross-functional approach that is focused on preserving the confidentiality, security, and availability of the information that the Company collects and stores by identifying, preventing, and mitigating cybersecurity threats and effectively responding to cybersecurity incidents when they occur. To identify and assess material risks from cybersecurity threats, we engage in regular network and endpoint monitoring, vulnerability assessments, penetration testing, and tabletop exercises. We continuously monitor threats and unauthorized access to our information security network. We have developed incident response plans by using the information gained through testing and monitoring to manage any identified vulnerabilities and further improve our cybersecurity preparedness and response infrastructure. Such plans set forth the actions to be taken in responding to and recovering from cybersecurity incidents, which include triage, assessing the severity of incidents, escalation protocols, containment of incidents, investigation of incidents, and remediation. We also regularly perform phishing tests of our employees and provide annual privacy and security training for all employees. Our security training incorporates awareness of cyber threats (including but not limited to malware, ransomware, and social engineering attacks), password hygiene and incident reporting processes. We review our cybersecurity risk framework and related policies annually with our senior management to help identify areas for continued focus and improvement. We also engage third parties to review and assess our processes annually. The Company has also implemented processes to identify, monitor and address material risks from cybersecurity threats associated with our use of third-party service providers, including those in our supply chain or who have access to our systems, data or facilities that house such systems or data. discussing issues to be addressed and recommending securities measures to be improved where possible. Additionally, we generally require those third parties that could introduce significant cybersecurity risk to us to manage their cybersecurity risks in specified ways, and to agree to be subject to cybersecurity audits, which we conduct as appropriate. Although in the last three fiscal years we have not experienced any material cybersecurity incidents and the expenses we have incurred from cybersecurity incidents, including financial losses, penalties, and settlements, were immaterial, we may experience such incidents in the future and the scope and impact of any such future incidents cannot be predicted. We have described whether and how risks from identified cybersecurity threats, including as a result of any previous cybersecurity incidents, may materially affect or are reasonably likely to materially affect us, including our business strategy, results of operations, or financial condition in the risk factors titled " Quipt’s business depends on its information systems, including software licensed from or hosted by third parties, and ‎any failure or significant disruption or effective cyber-attack on any of these systems, security breaches or improper ‎disclosure of or loss of data could materially affect our business, results of operations and financial condition. ‎" and " Quipt currently outsources, and from time to time in the future may outsource, a portion of its internal business ‎functions to third-party providers, which has significant risks, and Quipt’s failure to manage these risks successfully ‎could materially adversely affect its business, results of operations, and financial condition ." in Item 1A. “Risk Factors” of this Annual Report on Form 10-K. Governance Role of the Board of Directors and the Audit Committee As part of the Board of Directors’ role in overseeing the Company’s enterprise risk management program, which includes our cybersecurity risk management framework, the Board is responsible for exercising oversight of management’s identification and management of, and planning for, material cybersecurity risks that may reasonably be expected to impact the Company. While the full Board has overall responsibility for risk oversight, the Board has delegated oversight responsibility related to risks from cybersecurity threats to the Audit Committee. The Audit Committee is responsible for overseeing the strategic direction, objectives, and effectiveness of the Company’s cybersecurity risk management framework, taking into account the Company’s risk exposures and progress of its risk management processes. The Audit Committee is informed of the Company’s cybersecurity risk management and receives an overview of its cybersecurity program from management at least quarterly. Material cybersecurity risks are also discussed during separate Board meetings as part of the Board’s risk oversight generally. Role of Management Our CCO is responsible for management’s oversight of cybersecurity governance, decision-making, risk management, awareness, and compliance across the Company. Our CCO works to employ a cybersecurity program designed to protect the Company’s information systems from cybersecurity threats and to respond to incidents in accordance with the Company’s incident response plan and other policies and procedures. In the event of a material cybersecurity incident or investigation, management will, in compliance with escalation protocols in place, promptly report to the Audit Committee and the Board, as appropriate, in accordance with the Company’s incident response plan, and other policies and determine the timing of action, and necessary response. Our CCO has over 20 years of experience in various roles in information technology and information security. He holds a degree in Legal Studies and holds several relevant certifications, including Certified HIPAA Professional (“CHP”).

Company Information