Vivani Medical, Inc. 10-K Cybersecurity GRC - 2025-03-31

Page last updated on March 31, 2025

Vivani Medical, Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-03-31 08:45:49 EDT.

Filings

10-K filed on 2025-03-31

Vivani Medical, Inc. filed a 10-K at 2025-03-31 08:45:49 EDT
Accession Number: 0001753926-25-000527

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity Risk Management. Overview We recognize the critical importance of m aintaining the safety and security of our information technology systems and data and maintain a cybersecurity risk management program as a part of our overall risk management strategy that is focused on identifying, assessing and managing cybersecurity risks. We engage an Managed Services Provider (“MSP”), with a highly experienced and responsive staff including a virtual Chief Information Officer (“vCIO”), to assist us with the identification, monitoring and management of risks from cybersecurity threats. They assist us with our technology, infrastructure and risk management through the deployment of a number of security controls and tools. We also take steps to limit third-party vendors’ access to our systems, and we are in the process of developing additional vendor risk management procedures. Board Oversight of Cyber Risk The Audit Committee of our Board of Di rectors oversees our policies and procedures with respect to risk management, including our management of risks from cybersecurity threats. The Audit Committee administers this cybersecurity risk oversight function through the receipt and review of reports from the management team and the vCIO on the Company’s information technology systems and the status of the cybersecurity risk management tools. Cybersecurity Risk Management and Strategy We rely on information technology systems and data processing so that we or our service providers, collaborators, consultants, contractors or partners can operate to collect, process, transmit and store electronic information in our day-to-day operations. Our internal computer systems and data processing along with those of our third-party vendors, consultants, collaborators, contractors or partners may be vulnerable to risks from cybersecurity threats. To help manage these risks, we engage and rely on external experts, including an Information Technology MSP. We are also in the process of developing additional cybersecurity policies and procedures, as we continually work to enhance and evolve our program in light of the constantly evolving threats to our environment. Our MSP assists us with our technology, infrastructure and risk management through the deployment of a number of security controls and tools, including, but not limited to, endpoint protection tools, phishing protection and access controls. We also take steps to limit third-party vendors’ access to our systems, and we are in the process of developing additional vendor risk management procedures. Program highlights include: Aligning with various government and industry standards such as: National Institute of Standards and Technology (“NIST”) Cybersecurity Framework, HIPAA, 21 CFR Part 11 and Sarbanes-Oxley (“SOX”), Conducting ongoing Security Awareness Training to keep employees informed of threats and how to spot them, Evaluating the cybersecurity policies of third-party vendors and service providers, Implementing redundant systems for mission critical operations, Developing and implementing Business Continuity/Disaster Recovery plans and procedures, and Ensuring robust protective measures such as: Email security including phishing protection Endpoint Security Perimeter Firewalls Physical Access controls Rapid Ransomware monitoring and recovery Multi-Factor Authentication Non-administrative computer access for typical users Encryption of computing systems To date, we have not identified any cybersecurity incidents or threats that have materially affected us or are reasonably likely to materially affect us, including our business strategy, results of operations, or financial condition. However, like other companies in our industry, we and our third-party vendors may, from time to time, experience threats and security incidents that could affect our information or systems. Governance Related to Cybersecurity Risks In addition to the services provided by our MSP, we have also formed an IT Steering Committee, whose members include representatives from our management team as well as our MSP, to review our cybersecurity program initiatives and related program metrics. Our IT Steering Committee provides cybersecurity updates and reports to our Audit Committee at each quarterly meeting or would report more frequently if there was a need to do so. 60

Company Information