STAAR SURGICAL CO 10-K Cybersecurity GRC - 2025-02-21

Page last updated on February 21, 2025

STAAR SURGICAL CO reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-02-21 16:00:40 EST.

Filings

10-K filed on 2025-02-21

STAAR SURGICAL CO filed a 10-K at 2025-02-21 16:00:40 EST
Accession Number: 0000950170-25-024813

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. Cybersecurity Risk Management and Strategy We have established policies and processes for assessing, identifying, and managing material risk from cybersecurity threats, and we have integrated these processes into our overall risk management program. We assess material risks from cybersecurity threats, including any potential unauthorized occurrence on or conducted through our information systems that may result in adverse effects on the confidentiality, integrity, or availability of our information systems or any information residing therein . We have adopted as the governance framework for our cybersecurity program the National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF). We use this framework as a guide to help us identify, assess, respond to, and manage cybersecurity risks relevant to our business. Our cybersecurity risk management program includes: - periodic risk assessments designed to help identify material cybersecurity risks to our critical systems, information, and our broader enterprise information technology (IT) environment; - skilled internal information security (IS) and data privacy personnel, who support our cybersecurity risk assessment processes, our security controls, and our response to cybersecurity incidents; - external service providers, where appropriate, to monitor, assess, test, or otherwise assist with aspects of our security controls, and to support risk mitigation efforts; - training for our employees on cybersecurity awareness and the importance of protecting information assets, including “phishing” tests; - periodic reviews of key cybersecurity policies, and updating as needed; - information governance policy and a cybersecurity incident response plan that includes procedures for monitoring data use and responding to cybersecurity incidents; and - a third-party risk management process for service providers, suppliers, and vendors. Based on the information available to us as of the date of this Annual Report, we believe that risks from cybersecurity threats, including as a result of any prior cybersecurity incidents, have not materially affected us, including our business strategy, results of operations, or financial condition, and as of the date of this Annual Report, we are not aware of any material risks from cybersecurity threats that are reasonably likely to do so. However, we cannot eliminate all risks from cybersecurity threats or provide assurances that the Company will not be materially affected by such risks in the future. Additional information on cybersecurity risks we face can be found in Item 1A, Risk Factors, which should be read in conjunction with the foregoing information. Governance Our Board considers cybersecurity risk as part of its risk oversight function and has delegated oversight of cybersecurity, including data security risk mitigation efforts, to the Audit Committee. Under the Audit Committee charter, the Audit Committee has responsibility for discussing with management the Company’s policies with respect to risk assessment and risk management, including guidelines and policies to govern the process by which the Company’s exposure to risk is handled. The Audit Committee receives reports from management on the Company’s cybersecurity risks and the Company’s cybersecurity program. In addition, management updates the Audit Committee, as necessary, regarding any material cybersecurity incidents. The Audit Committee regularly updates the Board on such matters ,and the Board also periodically receives presentations from management directly on our cybersecurity risk management. Our management team is responsible for assessing and managing our material risks from cybersecurity threats and reporting on such risks to the Audit Committee . Our management team oversees efforts to prevent, detect, mitigate, and remediate cybersecurity risks and incidents through various means, which may include threat briefings from internal personnel and external service providers, as well as alerts and reports produced by security tools deployed in the information technology environment. STAAR utilizes internal personnel and external service providers to support the Company’s cybersecurity efforts. Our Chief Information Officer (CIO) leads a team of IS professionals who have primary responsibility for our overall cybersecurity risk management program and supervises both our internal personnel and our retained external 31 cybersecurity consultants. Our CIO has over two decades of experience, including experience building IT and IS functions and teams, as well as cybersecurity programs. Our CIO holds an M.B.A. in management, has an audit and accounting background, and serves on the SoCalCIO Board, a Southern California organization developing and supporting local CIOs. The CIO and IS team collaborate closely with STAAR’s legal, privacy, and internal audit functions to address cybersecurity and data privacy risks. The Company’s internal IS and data privacy specialists have certifications from various organizations, including ISC2 (Certified Information Security Systems Professional or CISSP), Global Information Assurance (GIAC), the Computing Technology Industry Association (CompTIA) and International Association of Privacy Professionals (IAPP).

Company Information