Guerrilla RF, Inc. 10-K Cybersecurity GRC - 2025-03-27

Page last updated on March 27, 2025

Guerrilla RF, Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-03-27 12:00:38 EDT.

Filings

10-K filed on 2025-03-27

Guerrilla RF, Inc. filed a 10-K at 2025-03-27 12:00:38 EDT
Accession Number: 0001437749-25-009538

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBERSECURITY Risk Management and Strategy We recognize the paramount importance of cybersecurity in preserving the integrity, confidentiality, and availability of our systems, data, and operations. Our cybersecurity program is designed to identify, assess, monitor, and manage material risks from cybersecurity threats. We have developed a comprehensive approach based on recognized frameworks including the National Institute of Standards and Technology (NIST) Cybersecurity Framework and industry best practices. Our cybersecurity program employs a defense-in-depth strategy that implements multiple layers of controls to protect our digital assets: ● Advanced endpoint protection solutions ● Next-generation firewalls and intrusion detection/prevention systems ● Data loss prevention tools and encryption for sensitive data ● Multi-factor authentication for all critical systems and applications ● Regular vulnerability scanning and penetration testing ● Continuous monitoring of our network and systems We conduct regular risk assessments of our infrastructure, applications, and processes to identify vulnerabilities and implement appropriate controls. These assessments incorporate: ● Identification of reasonably foreseeable internal and external threats ● Assessment of the likelihood and potential impact of identified threats ● Evaluation of the sufficiency of policies, procedures, and technical measures to manage risks ● Regular testing and auditing of our security controls All employees undergo mandatory security awareness training upon hiring and annually thereafter. This training covers best practices, emerging threats such as phishing and social engineering, and incident response procedures. We also conduct regular phishing simulation exercises to reinforce training and identify areas for improvement. Industry Engagement and Staying Current We maintain current with evolving cybersecurity threats, technologies, and best practices through: ● Active participation in industry-specific information sharing organizations ● Membership in cybersecurity forums and communities ● Strategic partnerships with third -party security providers who maintain current certifications and specialize in emerging threat detection and response ● Subscription to threat intelligence services that provide real-time updates on evolving threats ● Regular review and incorporation of updated guidance from organizations such as CISA, NIST, and industry regulatory bodies ● Engagement with cybersecurity thought leaders and experts through conferences and professional development ● Regular assessments of our security program against industry benchmarks and frameworks to identify improvement opportunities Third-Party Risk Management Our third -party risk management program is integrated into our overall cybersecurity strategy. We recognize the significant challenges posed by the need to govern third -party service providers and vendors, and have implemented robust processes to oversee and manage these risks: ● Security assessments of all third -party providers proportional to the risks present, before or soon after engagement, and periodically thereafter ● Contractual requirements for security and privacy protections ● Continuous monitoring of critical third -party services ● Incident response coordination with key vendors ● Regular audits of third -party security controls for those handling sensitive data Before sharing or allowing the hosting of sensitive data in computing environments managed by third parties, we conduct thorough information security assessments. All third parties with access to our information systems must review and acknowledge our acceptable use policy before access is granted. 37 Incident Response and Business Continuity We maintain a formal incident response plan with clearly defined roles, responsibilities, and procedures for: ● Identifying a cybersecurity incident ● Assessing its nature and scope ● Minimizing and containing the impact ● Investigating the root cause ● Communication and reporting to stakeholders ● Recovering and restoring affected systems Our incident response procedures include escalation protocols to notify appropriate members of senior and executive management, the Board, and regulatory authorities in a timely manner based on the criticality of the cybersecurity incident. We conduct regular tabletop exercises and simulations to test the effectiveness of our response capabilities. We also maintain business continuity and disaster recovery plans to ensure operational resilience in the event of a significant cybersecurity incident. These plans are regularly tested and updated based on lessons learned from exercises and actual incidents. Cybersecurity Governance and Personnel The Audit Committee of our Board of Directors provides oversight of our cybersecurity program. The committee receives annual briefings from IT management on: ● The state of our cybersecurity program ● Significant security incidents and their resolution ● Results of security assessments and audits ● Progress on security initiatives and investments Primary responsibility for assessing, monitoring, and managing our cybersecurity risks rests with our Senior Vice-President of IT, who has over 20 years of experience in information technology and cybersecurity, including a Bachelor of Science degree. Our SVP of IT reports directly to our Chief Executive Officer on a monthly basis and is responsible for updates to the Audit Committee regarding our cybersecurity posture and initiatives. Our IT department includes staff members who hold certifications in security, networking, and systems administration. This team of qualified professionals works collaboratively to implement and maintain our comprehensive cybersecurity program. Their specialized expertise is supplemented by strategic partnerships with third -party security providers who hold additional industry-recognized certifications such as CISSP, CISM, CEH, and CompTIA Security+. Our IT team is responsible for: ● Developing and implementing security policies and procedures ● Monitoring and responding to security threats ● Coordinating security awareness training ● Managing incident response ● Providing regular reports to senior management and the Audit Committee In the event of a material cybersecurity incident, our SVP of IT is responsible for promptly reporting to the CEO and the Audit Committee. A special meeting of the Audit Committee or full Board may be convened as necessary to address significant cybersecurity matters. Material Incidents As of December 31, 2024, we have not experienced any cybersecurity incidents that have materially affected our operations, business strategy, financial condition, or financial results. Our management has assessed known cybersecurity incidents for potential materiality and disclosure using formal documented processes. While we have implemented extensive measures to fortify our defenses against cyber threats, it is important to acknowledge that the cybersecurity landscape is constantly evolving, with threat actors employing increasingly sophisticated tactics. Despite our best efforts, we cannot guarantee that our systems will be completely immune to cyber attacks. We remain vigilant in our efforts to protect our systems and data and continue to invest in our cybersecurity program to address emerging threats.

Company Information