ONE STOP SYSTEMS, INC. 10-K Cybersecurity GRC - 2025-03-19

Page last updated on March 19, 2025

ONE STOP SYSTEMS, INC. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-03-19 15:48:39 EDT.

Filings

10-K filed on 2025-03-19

ONE STOP SYSTEMS, INC. filed a 10-K at 2025-03-19 15:48:39 EDT
Accession Number: 0000950170-25-041974

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity
ITEM 1C. CYBERSECURITY. Risks related to Cybersecurity Incidents We face significant risks related to cybersecurity threats, which could adversely affect our business, financial condition, and results of operations. Cybersecurity incidents, including but not limited to unauthorized access, data breaches, and other malicious activities, could result in the loss or theft of sensitive information, disruption of our operations, and damage to our reputation. While we have implemented measures to protect our information systems, there can be no assurance that these measures will effectively prevent all cybersecurity incidents. Specific risks include, but are not limited to: 1. Data Breaches: A breach of our information systems could lead to unauthorized access to customer or employee data, resulting in reputational harm and legal liabilities. 2. Operational Disruption: Cybersecurity incidents could disrupt our operations, leading to delays in production, delivery, or fulfillment of customer orders. 44 3. Intellectual Property Theft: Unauthorized access to our proprietary information could result in intellectual property theft, which would impact our competitive position in the market. 4. Regulatory and Legal Compliance: Cybersecurity incidents may subject us to regulatory investigations, legal claims, and penalties, affecting our compliance with applicable laws and regulations. 5. Third-Party Relationships: Our reliance on third-party vendors and service providers exposes us to additional cybersecurity risks, and a security breach affecting these entities could impact our operations. Although cybersecurity incidents have not materially impacted our business strategy, results of operations, or financial condition to date, there can be no assurance that they will not do so in the future. Risk Management and Strategy Assessing, Identifying, and Managing Material Cyber Threats We have specific infrastructure, systems, policies, and procedures designed to proactively and reactively address circumstances that arise when unexpected events such as a cybersecurity incident occur. These include processes for assessing, identifying, and managing material risks from cybersecurity threats. We consult with external parties, such as cybersecurity firms and risk management and governance experts, on risk management and strategy. We use a team of outside vendors and government services specializing in IT and cybersecurity that provide expertise, tools, and methodologies to identify and assess vulnerabilities and potential threats. Automated tools and AI-based user behavior analytics also support identifying and managing cyber threats. Response to a broad category of threats is immediate and automatic. Security personnel and members of our management are alerted when cyber threats or anomalies are detected. Persistent threats or issues that, in the opinion of management, are material are immediately brought to the attention of our board of directors. In the event of a detected cyber incident by 24/7 monitoring software or employee notification, our IT and cybersecurity provider performs a detailed assessment of the incident, identifies the source of the problem, and resolves the issue as appropriate. If they cannot resolve the issue, the problem is escalated to our cybersecurity monitoring and detection software provider for resolution. Events that our IT and cybersecurity providers do not routinely resolve are brought to the Board’s attention. Critical business and operational data are backed up nightly and securely stored offsite to mitigate the risks of cybersecurity incidents or equipment failure. We provide cybersecurity awareness training to our employees, incident response personnel, and senior management. Governance Our management team, including our Vice President of Technology , is primarily responsible for assessing and managing our material risks from cybersecurity threats. Management supervises our internal cybersecurity and IT personnel and our retained external cybersecurity consultants and vendors. Additionally, they supervise efforts to prevent, detect, mitigate, and remediate cybersecurity risks and incidents through various means, which may include briefing from internal or external security personnel; threat intelligence and other information obtained from governmental, public, or private sources, including external consultants or vendors engaged by us; and alerts and reports produced by security tools deployed in our IT environment. Our Board of Directors, through its Audit & Risk Committee, provides oversight and oversees management processes for identifying and mitigating risks, including cybersecurity risks, to help align our risk exposure with our strategic objectives. Management, including our Vice President of Technology and our Audit & Risk Committee members, regularly brief our board of directors on our cybersecurity and information security posture and cybersecurity incidents deemed to have a moderate or higher business impact, even if viewed as immaterial to us. As cyber threats evolve and become more sophisticated, we believe that the Board’s involvement in cybersecurity governance ensures that we adequately focus resources to protect the Company’s assets and reputation. Vital aspects of our cybersecurity governance that are currently in process or have been implemented include the following: 45 - Governance and Strategy: Management, the Audit & Risk Committee, and the Board ensure that our cybersecurity strategy is aligned with our business strategy. - Risk Management and Oversight: Our Audit & Risk Committee and the Board, as part of the board’s enterprise risk management oversight, actively oversee our cybersecurity risk management framework, ensuring that material risks are identified, assessed, and mitigated. - Resource Allocation: o Budget Approval: The Board reviews and approves cybersecurity budgets and resource allocations to ensure we have adequate resources to implement and maintain effective cybersecurity measures. o Investment Decisions: The Board evaluates and approves significant investments in cybersecurity technologies, training, and talent based on the recommendations of management or our external vendors and consultants. - Compliance and Legal Obligations: o Regulatory Compliance: Management and the Board oversee compliance with relevant cybersecurity regulations and legal requirements. o Legal Oversight: Management and the Board ensure we have appropriate legal counsel to address cybersecurity-related issues, including incident notification requirements. - Education and Awareness: o Training and Awareness: Management and the Board take reasonable steps to stay informed about cybersecurity trends, threats, and best practices through ongoing education and training. o Management reviews Company employee training programs to ensure employees are trained appropriately and updated on evolving cyber trends. o Board Training: Certain board members have received training to understand cybersecurity risks and their role in overseeing cybersecurity. - Reporting and Communication: o Periodic Updates: The Board receives periodic updates from management, responsible staff, and the Audit & Risk Committee regarding the Company’s cybersecurity posture, incidents, and risk management efforts. o Communication Strategy: Management and the Board have a communication strategy for addressing cybersecurity disclosures with stakeholders, including customers, employees, and the public. - Performance Evaluation: The Board’s annual evaluation of the Chief Executive Officer’s performance includes assessing the effectiveness of implementing cybersecurity policy and measures and ensuring that cybersecurity policies and practices are effective and aligned with organizational goals. - Cybersecurity Culture: The Board fosters a cybersecurity-aware culture throughout the organization, supporting management’s efforts to integrate risk management, including cybersecurity, into the operating culture. The rapidly evolving nature of cybersecurity threats requires ongoing vigilance, and there can be no assurance that our efforts will prevent all incidents. Management and the Board are evaluating and intend to implement further cybersecurity-related measures, including, without limitation, developing a more robust internal policy framework, incident response plan, crisis management planning, third-party vendor assessments, and contractual obligations for third parties that the Company engages with. Despite these efforts, the rapidly evolving nature of cybersecurity threats requires ongoing vigilance, and there can be no assurance that our efforts will prevent all incidents. 46 In addition to the foregoing, management and the board are evaluating, and intend to implement, further cybersecurity related measures, including without limitation developing a more robust internal policy framework, incident response plan, crisis management planning, and third-party vendor assessments and contractual obligations for third parties that the Company engages with. The Company intends to progress these efforts throughout 2024.

Company Information