BioCardia, Inc. 10-K Cybersecurity GRC - 2025-03-26

Page last updated on March 26, 2025

BioCardia, Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-03-26 17:18:10 EDT.

Filings

10-K filed on 2025-03-26

BioCardia, Inc. filed a 10-K at 2025-03-26 17:18:10 EDT
Accession Number: 0001437749-25-009397

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBERSECURITY We rely on information technology and data to operate our business and advance our pipeline of product candidates. Our critical information technology includes computer networks, third-party hosted services, communication systems, software and infrastructure and our critical data includes confidential, personal, proprietary and sensitive data (collectively, Information Assets). Accordingly, we maintain a process for identifying, assessing, and managing material risks from cybersecurity threats as part of our broader risk management system and processes. We routinely assess risks from cybersecurity threats, including any potential unauthorized occurrence on or conducted through our information systems that may result in adverse effects on the confidentiality, integrity, or availability of our Information Assets and mitigate harm to our business. To operate our business, we utilize certain third-party service providers to provide a variety of functions, such as outsourced business functions, professional services, software-as-a-service platforms and encryption and authentication technology. Depending on the services provided, the sensitivity and quantity of information processed and the identity of the service provider, our vendor management process may include reviewing the cybersecurity practices of such provider, contractually imposing obligations on the provider related to the services they provide and/or the information they process, conducting security assessments, or requiring that the vendor certify that it has the ability to implement and maintain appropriate security measures, consistent with all applicable laws, to implement and maintain reasonable security measures in connection with its work with us, and to promptly report any suspected breach of its security measures that may affect our company. 66 We conduct periodic risk assessments to identify cybersecurity threats, as well as assessments in the event of a material change in our business practices that may affect information systems that are vulnerable to such cybersecurity threats. These risk assessments include identification of reasonably foreseeable internal and external risks, the likelihood and potential damage that could result from such risks, and the sufficiency of existing policies, procedures, systems, and safeguards in place to manage such risks. Our information technology team consists of professionals with deep cybersecurity expertise across multiple industries. Our executive leadership team, along with input from the above professionals, are responsible for our overall enterprise risk management process and regularly consider cybersecurity risks in the context of other material risks to the Company. As part of our risk management system, we track and log privacy and security incidents to facilitate our efforts to remediate and resolve any such incidents. Any significant incidents are reviewed with our Chief Financial Officer and incidents that are assessed as potentially being or potentially becoming material are escalated within the appropriate members of management and reported to our executive leadership team. We consult with outside counsel as appropriate, including on materiality analysis and disclosure matters, and our executive leadership team makes the final materiality determinations and disclosure and other compliance decisions. The Board of Directors has oversight responsibility for risks and incidents relating to cybersecurity threats, including compliance with disclosure requirements, cooperation with law enforcement, and related effects on financial and other risks. Our executive leadership team regularly discusses cyber risks and trends and, should they arise, any material incidents with the Board of Directors. To date, our business strategy, results of operations and financial condition have not been materially affected by risks from cybersecurity threats, including as a result of previously identified cybersecurity incidents, but we cannot provide assurance that they will not be materially affected in the future by such risks or any future material incidents. For more information on our cybersecurity related risks, see Item 1A Risk Factors of this Annual Report on Form 10-K.

Company Information