NovaBay Pharmaceuticals, Inc. 10-K Cybersecurity GRC - 2025-04-02

Page last updated on April 2, 2025

NovaBay Pharmaceuticals, Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-04-02 17:17:25 EDT.

Filings

10-K filed on 2025-04-02

NovaBay Pharmaceuticals, Inc. filed a 10-K at 2025-04-02 17:17:25 EDT
Accession Number: 0001437749-25-010730

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBERSECURITY Risk Management and Strategy Many aspects of our business are dependent upon our computer systems, devices, and networks to collect, process, and store data necessary to conduct many aspects of our business, including the recording and reporting of commercial and financial information, and payroll. We rely on standard operating systems and software from established and reliable third parties to provide security including Microsoft 365 and ADP. The Company does not have in-house information technology personnel. Management makes concerted efforts to select third-party software providers with a demonstrated track-record of effectively addressing cybersecurity concerns. In the event of a cybersecurity incident, we would rely upon these providers. In light of the Company’s current size and relatively low cyber-risk profile, management believes that reliance upon experienced third-party providers is the most prudent and cost-effective course. Governance Our cybersecurity risk assessment and management processes are implemented and maintained by certain Company employees, including our Chief Executive Officer, General Counsel and Chief Compliance Officer. Our Board addresses the Company’s cybersecurity risk management as part of its general risk oversight function. The Board has access to various reports, summaries or presentations related to cybersecurity threats, risk, and mitigation. In its oversight role, the Board is expected to specifically consider risks that relate to the reputation of the Company and the general industry in which we operate, including with respect to privacy, information technology and cybersecurity and threats to technology infrastructure. Our cybersecurity risk management processes are integrated into our overall approach to risk management. Given the nature and size of our Company, we do not have a dedicated enterprise risk function, but our management regularly considers and evaluates risks to our Company. As part of that risk management process, management identifies, assesses and evaluates risks impacting our operations across the Company, including those risks related to cybersecurity, and raises them for discussion with our employees, and where it is determined to be appropriate, issues are also raised to the Board for consideration. To promote organization-wide attention to cybersecurity issues, we conduct mandatory employee training on cybersecurity and provide ongoing cybersecurity education and awareness, monitoring phishing attacks, and cybersecurity awareness materials. The Company will be evaluating its cybersecurity governance and practices and expects to make appropriate changes to align with our significantly reduced and changed business and operations following the completed the Avenova Asset Sale and the Wound Care Divestiture. Cybersecurity Risks As of the date of this annual report, we are not aware of any risks from cybersecurity threats, including as a result of any previous cybersecurity incidents, that have materially affected our business strategy, results of operations or financial condition or are reasonably likely to have such a material effect. However, the sophistication of and risks from cybersecurity threats and incidents continues to increase, and the preventative actions that we have taken and continue to take to reduce the risk of cybersecurity threats and cybersecurity incidents and protect our information systems and information may not successfully protect against all cybersecurity threats and cybersecurity incidents. For additional information regarding risks relating to cybersecurity, see “Item 1A-Risk Factors.” - 22 - Table of Contents

Company Information