EBR Systems, Inc. 10-K Cybersecurity GRC - 2025-03-24

Page last updated on March 24, 2025

EBR Systems, Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-03-24 17:29:06 EDT.

Filings

10-K filed on 2025-03-24

EBR Systems, Inc. filed a 10-K at 2025-03-24 17:29:06 EDT
Accession Number: 0001214659-25-004709

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity Cybersecurity Risk Management and Strategy We have developed, implemented, and maintain various information security processes designed to identify, assess, and manage material risks from cybersecurity threats to our critical computer networks, third-party hosted services, communication systems, hardware and software, and our critical data, including intellectual property, confidential information that is proprietary, strategic, or competitive in nature (“Information Systems and Data”). Our third-party service providers help identify, assess, and manage the Company’s cybersecurity threats and risks. Our cybersecurity function identifies and assesses risks from cybersecurity threats by monitoring and evaluating our threat environment using various methods, including, for example: manual tools, automated tools, subscribing to reports and services that identify cybersecurity threats, analyzing reports of threats and threat actors, conducting scans of the threat environment, evaluating threats reported to us, and use of external intelligence feeds. Our cybersecurity risk management program is integrated into our overall enterprise risk management program, for example by sharing common methodologies, reporting channels, and governance processes that apply across the enterprise risk management program to other legal, compliance, strategic, operational, and financial risk areas. Depending on the environment, we implement and maintain various technical, physical, and organizational measures, processes, standards, and policies designed to manage and mitigate material cybersecurity risks, including, for example: · risk assessments designed to help identify material cybersecurity risks to our critical systems, information, products, services, and our broader enterprise IT environment; · a security team principally responsible for managing (1) our cybersecurity risk assessment processes, (2) our security controls, and (3) our response to cybersecurity incidents; · monitoring of our systems in real-time to identify, contain, and report exposures as appropriate; · cybersecurity awareness training for our employees, incident response personnel, and senior management; · a cybersecurity incident response plan that includes procedures for responding to cybersecurity incidents; · incident detection and response measures; · a vulnerability management policy; · business continuity plans; · implementation of security standards/certifications; · encryption of data; · network security controls; · data segregation; · access controls; · physical security; · asset management, tracking and disposal; · a vendor risk management program; · penetration testing; and · cybersecurity insurance. We use third-party service providers from time to time to assess, test, or otherwise assist with aspects of our management of material risks from cybersecurity threats, including, for example: threat intelligence service providers, cybersecurity consultants, cybersecurity software providers, and managed cybersecurity service providers. We also use third-party service providers to perform a variety of functions throughout our business, such as hosting companies. We have a third-party risk management process for service providers, suppliers, and vendors, which includes conducting audits. Depending on the nature of the services provided, the sensitivity of the Information Systems and Data at issue, and the identity of the provider, our vendor management process may involve different levels of assessment designed to help identify cybersecurity risks associated with a provider and impose contractual obligations related to cybersecurity on the provider. For a description of the risks from cybersecurity threats that may materially affect the Company and how they may do so, see our risk factors under Part 1. Item 1A. Risk Factors in this Annual Report on Form 10-K, including " Security breaches, loss of data and other disruptions could compromise sensitive information related to our business or our customers’ patients or prevent us from accessing critical information and expose us to liability, which could adversely affect our business and our reputation ." Cybersecurity Governance Our Board considers cybersecurity risk as part of its risk oversight function and has delegated to the audit and risk committee oversight of cybersecurity and other information technology risks. The audit and risk committee oversees management’s implementation of our cybersecurity risk management program. Pursuant to its charter, the audit committee’s oversight of the integrity of our information technology systems and cybersecurity risks includes the review and assessment, with management, of the adequacy of controls and security for our Information Systems and Data, as well as our contingency plans in the event of a breakdown or security breach affecting our information technology systems. Our cybersecurity risk assessment and management processes are implemented and maintained by certain members of our management and third-party service providers. These individuals are responsible for helping to integrate cybersecurity risk considerations into the Company’s overall risk management strategy and communicating key priorities to relevant personnel. Additionally, they are responsible for approving budgets, helping prepare for cybersecurity incidents, approving cybersecurity processes, and reviewing security assessments and other security-related reports. Our cybersecurity incident response plan is designed to escalate certain cybersecurity incidents to members of management depending on the circumstances, including our Chief Executive Officer and Chief Financial Officer. These individuals work with the Company’s incident response team to help the Company mitigate and remediate cybersecurity incidents of which they are notified. The Company’s incident response plan includes reporting to the audit and risk committee on certain cybersecurity risks, including any material cybersecurity incidents, as well as certain incidents with lesser impact potential. The audit and risk committee reports to the full Board regarding its activities, including those related to cybersecurity. In addition, management may from time to time directly provide the full Board with briefings on our cyber risk management.

Company Information