DELCATH SYSTEMS, INC. 10-K Cybersecurity GRC - 2025-03-06

Page last updated on March 6, 2025

DELCATH SYSTEMS, INC. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-03-06 09:18:55 EST.

Filings

10-K filed on 2025-03-06

DELCATH SYSTEMS, INC. filed a 10-K at 2025-03-06 09:18:55 EST
Accession Number: 0001628280-25-010797

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity. We have implemented and maintain various information security processes designed to identify, assess and manage material risks from cybersecurity threats to our critical computer networks, third party hosted services, communications systems, hardware and software, and our critical data, including intellectual property, confidential information that is proprietary, strategic or competitive in nature, and clinical trial data results (“Information Systems and Data”). The Company’s Chief Finance Officer (“CFO”) and Associate Vice President of Information Technology (“AVPIT”) help identify, assess and manage cybersecurity risk, including input from employees, and devote resources to cybersecurity and risk management processes to adapt to the changing cybersecurity landscape and respond to emerging threats. The CFO and AVPIT identify and assess risks from cybersecurity threats by monitoring and evaluating our threat environment and the Company’s risk profile using various methods including, for example maintaining manual and automated tools, conducting scans of threats and actors, subscribing to reports and services that identify cybersecurity threats, evaluating threats reported to us, completing internal and external audits, using external intelligence feeds and completing third-party threat assessments. We have processes and standards to address cybersecurity matters and mitigate material cybersecurity risk. Depending on the environment, we implement and maintain various technical, physical, and organizational measures, processes, standards and policies designed to manage and mitigate material risks from cybersecurity threats to our Information Systems and Data, including , for example, encryption standards, access controls, disaster recovery/business continuity plans, incident detection and response, antivirus protection, remote access security, and multi factor authentication. All employees are required to complete cybersecurity trainings at least once a year. Our assessment and management of material risks from cybersecurity threats are integrated into the Company’s overall risk management processes. For example, our AVPIT along with management evaluates material risks from cybersecurity threats against our overall business objectives and reports to the Board, which evaluates our overall enterprise risk. The CFO and AVPIT, who has over thirty years of experience in information technology and has both a computer science and information science degree, a re responsible for developing and implementing our information security program and reporting on cybersecurity matters to the Board. We support our information security program with external resources including cybersecurity software providers and advisors as needed. We have a vendor management process to manage cybersecurity risks associated with our use of external providers that includes a risk assessment, reviews of vendor audits and reports, and we also impose certain contractual information security obligations on vendors. Depending on the nature of the services provided, the sensitivity of the Information Systems and Data at issue, and the identity of the provider, our vendor management process may involve different levels of assessment designed to help identify cybersecurity risks associated with a provider and impose contractual obligations related to cybersecurity on the provider. Our assessment of risks associated with the use of third-party providers is part of our overall cybersecurity risk management framework. The Board, as part of its general oversight function, participates in discussions with senior management and amongst themselves regarding cybersecurity risks. With the assistance of the Company’s most senior IT manager, we review annually the cyber and data security risks of our overall IT environment. We assess cybersecurity risk and the overall environment which includes devices, IT systems, websites, social media accounts, manufacturing technology/systems and suppliers/vendors. The oversight from the Board includes material changes to relevant policies, procedures, employee training and elements of the overall environment, as necessary, and senior management provides an update to the Board on emerging cyber threats. The Board has access, as requested, to various reports, summaries or presentations related to cybersecurity threats, risk and mitigation. Our cybersecurity incident response plan is designed to escalate certain cybersecurity incidents to members of senior management, depending on the circumstances. Senior management works with the Company’s cybersecurity incident response team to help the Company mitigate and remediate cybersecurity incidents of which they are notified. In addition, the Company’s cybersecurity incident response plan includes reporting to the Board for certain cybersecurity incidents. We face a number of cybersecurity risks in connection with our business. For more information about the cybersecurity risks we face, see the risk factor entitled " We and the third parties with whom we work rely on the proper function, availability and security of information technology systems to operate our business and a cyber-attack or other breach of these systems, or our data, could have a material adverse effect on our business, including by not limited to regulatory investigations or actions; litigation; fines and penalties; disruptions of our business operations; reputational harm; loss of revenue or profits; and other adverse consequences " in Item 1A- Risk Factors.

Company Information