ROCKWELL MEDICAL, INC. 10-K Cybersecurity GRC - 2025-03-20

Page last updated on March 20, 2025

ROCKWELL MEDICAL, INC. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-03-20 07:01:56 EDT.

Filings

10-K filed on 2025-03-20

ROCKWELL MEDICAL, INC. filed a 10-K at 2025-03-20 07:01:56 EDT
Accession Number: 0001628280-25-013983

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity. The Company’s management (the “Management”) and the Company’s board of directors (the “Board”) recognize the critical importance of maintaining the trust and confidence of our investors, employees, customers, partners, and vendors. The Board is actively involved in the oversight of the Company’s risk management program, and cybersecurity represents an important component of the Company’s overall approach to enterprise risk management (“ERM”). The Company’s cybersecurity policies, standards, processes, and practices are fully integrated into the Company’s ERM program and are informed by recognized frameworks established by the National Institute of Standards and Technology (“NIST”); and other applicable industry standards. In general, the Company seeks to address cybersecurity risks through a comprehensive, cross-functional approach that is focused on preserving the confidentiality, security, and availability of the information that the Company collects and stores by identifying, preventing, mitigating, and remediating cybersecurity threats and effectively responding to cybersecurity incidents when they occur. In the ordinary course of our business, we collect, use, store, and transmit digitally confidential, sensitive, proprietary, and personal information. The secure maintenance of this information and our information technology (“IT”) systems is important to our operations and business strategy. To this end, we have implemented processes designed to assess, identify, and manage risks from potential unauthorized occurrences on or through our IT systems that may result in adverse effects on the confidentiality, integrity, and availability of these systems and the data residing therein. These processes are managed and monitored by our Director of Technology and Information Systems and supported by our outsourced IT managed services provider, under the supervision of our Chief Corporate Affairs Officer, and include mechanisms, controls, technologies, systems, and other processes designed to prevent or mitigate data loss, theft, misuse, or other security incidents or vulnerabilities affecting the data and maintain a stable and secure information technology environment. Our Chief Corporate Affairs Officer, who reports directly to the Chief Executive Officer, and our Director of Technology and Information Systems, who has three decades of experience managing and leading cybersecurity oversight, together with our other executive officers, are responsible for assessing and managing cybersecurity risks. Each member of Management holds undergraduate and graduate degrees in their respective fields and have extensive experience managing risks at the Company and at similar companies, including risks arising from cybersecurity threats . In the last fiscal year, the Company has not identified any risks from known cybersecurity threats, including as a result of any prior cybersecurity incidents, that have materially affected us, including our operations, business strategy, results of operations, or financial condition. If we were to experience a material cybersecurity incident in the future, such incidents are reasonably likely to materially affect us, including our operations, business strategy, results of operations, or financial condition. For more information regarding cybersecurity risks that we face and potential impacts on our business related thereto, see the risk factor titled, “Our business and operations would suffer in the event of a security breach, system failure, invasion, corruption, destruction or interruption of our or our business partners’ critical information technology systems or infrastructure.” Risk Management and Strategy Rockwell Medical believes that the Company maintains an IT and security program appropriate for a company its size, taking into account its operations and risks. As one of the critical elements of the Company’s overall ERM approach, the Company’s cybersecurity program is focused on the following key areas: Governance The Board’s oversight of cybersecurity risk management is supported by the Audit Committee of the Board (the “Audit Committee”), which regularly interacts with the Company’s Chief Corporate Affairs Officer. The Board, as a whole and at the Audit Committee level, has oversight for the most significant risks facing the Company and for the Company’s processes to identify, prioritize, assess, manage, and mitigate those risks. The Audit Committee, which is composed solely of independent directors, has been designated by the Company’s Board to oversee cybersecurity risks. The Audit Committee and the Board receive updates on cybersecurity and IT matters and related risk exposures from the Company’s Chief Corporate Affairs Officer and other members of Management on cybersecurity risks on at least a semi-annual basis. Collaborative Approach The Company has implemented a comprehensive, cross-functional approach to identifying, preventing, and mitigating cybersecurity threats and incidents, while also implementing controls and processes that provide for the prompt escalation of certain cybersecurity incidents so that decisions regarding the public disclosure and reporting of such incidents can be made by Management in a timely manner. Information Security The Company implements organizational, administrative, and technical measures based on commercially reasonable procedures using industry standard information security measures prescribed for use by NIST, the Sarbanes-Oxley Act, and other generally recognized industry standards, in each case, designed to safeguard the confidentiality, integrity, and availability of our infrastructure and data and the resiliency of our operations. Additionally, we perform information security maturity assessments and penetration testing quarterly for our IT infrastructure, and conduct vulnerability scans across key assets, core infrastructure, and endpoints to identify potential vulnerabilities and potential cybersecurity events. We assess and prioritize the remediation of vulnerabilities and other cybersecurity risks identified through these activities, using a risk-based approach. Technical Safeguards The Company deploys technical safeguards that are designed to protect the Company’s information systems from cybersecurity threats, including firewalls, intrusion prevention and detection systems, anti-malware functionality and access controls, which are evaluated and improved through vulnerability assessments and cybersecurity threat intelligence. Incident Response and Recovery Planning The Company has established and maintains a comprehensive cybersecurity incident response plan (“IRP”) which establishes a framework designed to enable us to respond to cybersecurity incidents in a consistent, timely, and effective manner. Our IRP outlines procedures for identifying, reporting, investigating, assessing, and responding to cybersecurity incidents, including incident response team formation, roles and responsibilities by department, and communication and escalation protocols. Depending on the severity of the cybersecurity incident, the Company’s IRP contemplates escalation to Management and the Audit Committee and/or the full Board, as well as periodic briefings on developments related to the incident response. We review and update our IRP annually and have conducted training of key team members regarding the IRP. Third-Party Risk Management The Company maintains a comprehensive, risk-based approach to identifying and overseeing cybersecurity risks presented by third parties, including vendors, service providers and other external users of the Company’s systems, as well as the systems of third parties that could adversely impact our business in the event of a cybersecurity incident affecting those third-party systems. Education, Awareness and Training The Company provides regular, mandatory cybersecurity training as a means to equip the Company’s personnel with effective tools to address cybersecurity threats, and to communicate the Company’s evolving information security policies, standards, processes and practices. We conduct continuous automated phishing simulation campaigns which can trigger additional training for personnel on how to recognize social engineering attempts (e.g., phishing, smishing, vishing, etc.). We track performance on phishing exercises to help us monitor the awareness of our employees and inform future training priorities. Risk and Readiness Assessments The Company engages in the periodic assessment and testing of the Company’s policies, standards, processes and practices that are designed to address cybersecurity threats and incidents. These efforts include a wide range of activities, including audits, assessments, tabletop exercises, threat modeling, vulnerability testing and other exercises focused on evaluating the effectiveness of our cybersecurity measures and planning. The Company regularly engages third parties to perform assessments on our cybersecurity measures, including information security maturity assessments, audits and independent reviews of our information security control environment and operating effectiveness. The results of such assessments, audits and reviews are reported to the Audit Committee and the Board, and the Company adjusts its cybersecurity policies, standards, processes and practices as necessary based on the information provided by these assessments, audits and reviews. Insurance We maintain information security risk insurance coverage to mitigate potential losses in the event of a business disruption. For more information regarding cybersecurity risks that we face and potential impacts on our business related thereto, see the risk factor titled, “Our business and operations would suffer in the event of a security breach, system failure, invasion, corruption, destruction or interruption of our or our business partners’ critical information technology systems or infrastructure.”

Company Information