AMERICAN SHARED HOSPITAL SERVICES 10-K Cybersecurity GRC - 2025-04-04

Page last updated on April 4, 2025

AMERICAN SHARED HOSPITAL SERVICES reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-04-04 17:19:54 EDT.

Filings

10-K filed on 2025-04-04

AMERICAN SHARED HOSPITAL SERVICES filed a 10-K at 2025-04-04 17:19:54 EDT
Accession Number: 0001437749-25-011052

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity" below, there is no guarantee that the IT infrastructure developed by the Company and the cybersecurity measures implemented by the Company will be successful in preventing and defending against the evolving and increasingly sophisticated range of cyber incidents that the Company could be exposed to. Furthermore, there can be no assurance that the Company’s cybersecurity risk management strategy and processes will be fully implemented, complied with, or effective in safeguarding the Company’s data, systems, and information. Any actual compromise of or perceived threat to the Company’s IT systems and infrastructure could cause significant legal and financial exposure for the Company, damage the Company’s reputation, and create adverse publicity, which could adversely affect the Company’s business, operations, and financial condition. Any necessary response to a cyber-attack, which could include analyzing a security incident, patching up security vulnerabilities, notifying individuals affected by the incident, determining the materiality of the incident, disclosing the incident in accordance with any applicable legal and regulatory requirements, and responding to any resulting litigation, could also divert the Company’s resources and attention from its growth operations and business objectives, which could further hinder its operational and financial performance. Macroeconomic conditions could have a material adverse effect on our business, results of operations, and financial condition. Unfavorable macroeconomic conditions, including low productivity growth, declining business investment, inflationary pressures, fluctuating interests rates, concerns regarding the imposition of tariffs (including retaliatory tariffs in response to tariffs imposed by the United States), concerns regarding the level of U.S. debt, shifts in monetary and fiscal policy, strained international trade relations, and heightened geopolitical pressures, could negatively impact our business, results of operations, and financial condition. Economic downturns may cause hospitals and medical centers to reduce spending on capital-intensive medical equipment, delay lease renewals for the radiation therapy devices, and decrease overall investment in new treatment technologies. Trade policies like tariffs and retaliatory measures, as well as geopolitical tensions in the U.S. and global markets, may cause disruptions to medical equipment supply chains, increase the cost of acquiring advanced radiation therapy technology, and delay the delivery of essential components of our Gamma Knife and LINAC systems. Economic and inflationary pressure on patients and health care providers, along with prolonged uncertainty in the macroeconomic environment, could result in changes in hospital procurement decisions, reduced demand for elective procedures, and constrained budgets for medical technology investments. These conditions may also weaken investor confidence in the health care sector, reduce access to capital for expansion projects, reduce access to capital for expansion projects, and increase regulatory scrutiny over health care spending and reimbursement policies, all of which could have a material adverse effect on our business, financial condition, and results of operations. We are subject to risks associated with foreign operations, including political, economic, and regulatory uncertainties. We operate Gamma Knife and LINAC facilities in Peru, Ecuador, and Mexico. These operations expose us to various risks, including changes in foreign regulations, economic instability, and shifts in health care reimbursement policies. If any of these countries implement stricter health care-related requirements, impose price controls, or experience significant currency fluctuations, our international revenue profitability may be negatively impacted. The potential impairment of our Gamma Knife portfolio and its salvage value could adversely impact our financial condition and results of operations. As of December 31, 2024, we determined that our Gamma Knife portfolio had no remaining salvage value, and certain sites experienced equipment impairment or are expected to expire in the second quarter of 2025. Additionally, two sites that recently recognized their salvage value as part of the Esprit upgrade were subsequently impaired. Accordingly, we concluded that there was no salvage value remaining and the Company recognized equipment impairment as of December 31, 2024. The impairment of equipment and change in estimate of salvage value could have a material adverse effect on our financial condition and results of operations. If additional impairments occur in the future, we may be required to recognize further losses on the write-down of impaired assets and incur additional removal costs for expired Gamma Knife units, which could negatively impact our reported earnings. Additionally, the continued aging of our equipment portfolio may necessitate increased capital expenditures to replace or upgrade systems, which could increase our financial burden. Stock Ownership Risk The trading volume of the Company ’ s common stock is low. Although the Company’s common stock is listed on the NYSE American, the Company’s common stock has historically experienced low trading volume. Reported average daily trading volume in our common stock for the three-month period ended December 31, 2024 was approximately 21,000 shares. It is not likely that a further increase in an active trading market in the Company’s common stock will develop in the future. Limited trading volume subjects the Company’s common stock to greater price volatility and may make it difficult for shareholders to sell their shares in a quantity or at a price that is attractive. Our officers, directors and principal shareholders collectively own a substantial portion of our common stock. Collectively, our officers and directors beneficially own approximately 23.2% of our outstanding common stock, with Raymond Stachowiak, the Executive Chairman of the Board, beneficially owning approximately 22.8% o f our common stock. As a result, investors may face challenges in affecting matters involving our Company, including: ● the composition of our Board of Directors and, through it, any determination with respect to our business direction and policies, including the appointment and removal of officers; ● any determinations with respect to mergers or other business combinations; ● our acquisition or disposition of assets; and ● our corporate financing activities. Our officers, directors, and principal shareholders may act in concert to significantly influence these and other matters requiring shareholder approval. Furthermore, this concentration of voting power could have the effect of delaying, deterring, or preventing a change of control or other business combination that might otherwise be beneficial to our shareholders. This significant concentration of share ownership may also adversely affect the trading price for our common stock because investors may perceive disadvantages in owning stock in a company in which a small number of shareholders hold a significant ownership interest. We do not anticipate paying dividends on our common stock. We do not expect to pay or declare dividends in the foreseeable future. The declaration of dividends is subject to the discretion of our board of directors and will depend on various factors, including our operating results, financial condition, future prospects, covenants in documents governing our debt obligations and any other factors deemed relevant by our board of directors. You should not rely on an investment in our company if you require dividend income from your investment in our company. The success of your investment will likely depend entirely upon any future appreciation of the market price of our common stock, which is uncertain and unpredictable. There is no guarantee that our common stock will appreciate in value. ITEM 1B. UNRESOLVED STAFF COMMENTS None. ITEM 1C. CYBERSECURITY The Company recognizes the importance of securing its information, devices, and data and the IT systems it relies on to conduct its business. The Company has established its Network, Information, and Data Security Policy Guidelines (the “NIDSP Guidelines”) designed to protect the integrity and confidentiality of data and information belonging to or being exchanged by the Company and its employees, partners, customers, service providers, and suppliers and to safeguard that information and the Company’s IT infrastructure from unauthorized access, use, disclosure, alteration, and destruction. Risk Management and Strategy The protections, procedures, and controls set forth in the NIDSP Guidelines demonstrate the Company’s attention to and prioritization of cybersecurity as a component of its overall strategy and system for managing risks. The NIDSP Guidelines include five policies described below, that together define the Company’s strategy and practices for managing cybersecurity threats and mitigating cybersecurity risks. ● Physical Security Policy (the " PSP " ). The PSP establishes guidelines related to selecting IT operation sites, designating security zones, using, inspecting, and storing IT Assets, designing restricted-access and security controls, and monitoring compliance with safety and security standards. The goal of the PSP is to minimize risks of damage, destruction, unauthorized access, inadvertent disclosure, misuse, loss, or theft of the Company’s IT Assets. In accordance with the PSP, the Company: (i) evaluates IT operation sites based on their susceptibility to natural disasters, crime and theft, and unauthorized access; (ii) requires the use of keycards or biometrics in order to enforce security zones and give users the least amount of access required to do their jobs; (iii) requires systems and devices that store confidential data to be maintained and protected in accordance with the Company’s Confidential Data Policy; and (iv) requires visitors at the Company’s office to complete a sign-in log, wear a visitor badge, and be escorted by a designated employee at all times. ● Network Security Policy (the " NSP " ). The NSP aims to protect the integrity of the Company’s data by securing the systems and devices that make up the Company’s network infrastructure. Pursuant to the NSP, the Company: (i) enforces strict password-construction criteria for network devices; (ii) requires employees to verify their identities using multi-factor authentication to access internal resources; (iii) maintains and reviews logs from application services, network devices, and critical devices and requires the retention of logs in accordance with the Company’s Retention Policy; (iv) implements and configures firewall technology to filter both inbound and outbound network connections; (v) authorizes the IT Manager to determine the extent and scope of external security testing to be performed; (vi) establishes a software-use policy; and (vii) requires antivirus and anti-malware software to be used and timely patched and updated on any Company-provided devices. ● Backup Policy. The Company’s Backup Policy applies to all data stored on Company systems. The Backup Policy specifies the types of data and information considered to be critical to the Company’s operations and thus required to be backed up, establishes a backup schedule that is necessary for successful data recovery, and implements procedures for the off-site rotation, storage, and retention of backups. The Backup Policy also establishes the Company’s data-restoration procedures and mandates the periodic testing of those procedures. ● Remote Access Policy (the " RAP " ). The RAP defines the Company’s standards for accessing IT resources from outside the Company’s network, such as when an employee is working remotely. Pursuant to the RAP, remote access is only permitted if accomplished through secure, Company-provided means. The Company’s uses remote-access software designed to guard against unauthorized access using traffic encryption during transmission and firewall protections. ● Confidential Data Policy (the " CDP " ). The CDP governs the handling, storage, transmission, destruction, and protection of confidential data. Pursuant to the CDP, confidential data must be securely stored, removed from common areas, properly marked as confidential data, protected with strong encryption if being transmitted, and destroyed by means that make recovery impossible. Employees who are given access to confidential data are required to immediately notify their supervisor if they suspect any misuse or unauthorized disclosure of confidential information. The Company’s NIDSP Guidelines and policies apply not only to the Company’s employees and consultants but also to any third parties that access or utilize the Company’s information and systems. Such third parties may include the Company’s service providers, customers, suppliers, contractors, consultants, and any other individuals the Company conducts business with. The IT infrastructure that the Company has developed in accordance with the NIDSP Guidelines is designed to monitor both internal and external cybersecurity risks. The NIDSP Guidelines equip the Company with the tools and systems necessary to recognize, address, and protect against risks associated with its third -party interactions. Cybersecurity Governance The Company’s IT Manager and executive team is responsible for the day-to-day management of cybersecurity risks, while the Company’s Board of Directors has responsibility for oversight of risk management. As part of the Company’s framework for cybersecurity risk oversight and governance, the Company’s network, information, and data-security policies set forth in the NIDSP Guidelines are enforced by the Company’s IT Manager and/or its executive team. The IT Manager is an employee designated by the Company to manage the Company’s security policies and program. The IT Manager is tasked with ensuring that the Company maintains compliance with the Company’s security policies and any applicable security regulations. The IT Manager is responsible for: (i) implementing the Company’s security policies; (ii) disseminating the Company’s security policies to all employees; (iii) establishing a training program for all employees and users covered by the Company’s IT security policy to notify them of the Company’s security policies, train and re-train them to comply with the Company’s IT security program, and educate them on the importance of data security; (iv) performing any ongoing testing or analysis of the Company’s security infrastructure, policies, and procedures; and (v) updating the NSP and any other policies and guidelines as needed to comply with applicable regulations and to stay up to date with the changing IT security landscape. The IT Manager works closely with the Company’s management and executive team to determine the Company’s IT-related needs, to evaluate the sufficiency of the Company’s data-governance policies and practices, to keep the Company’s management informed of notable cybersecurity-related updates, to review its security-related policies, and to identify ways to strengthen the systems and procedures implemented by the Company to detect, assess, and manage data risks. In the event of the detection of an actual or suspected cybersecurity incident, the Company’s IT Team, lead by the IT Manager, assesses the incident as “minimal”, “low”, “moderate” or “high”. Incidents assessed at a minimal or low risk are reported to Company’s management and the Executive Chairman of the Board and the Executive Chairman of the Board may share this information with the Board. Incidents assessed at a moderate or high risk are reported to Company’s management, the Executive Chairman of the Board, and the Company’s Board of Directors. Notwithstanding the Company’s cybersecurity-related policies, procedures, and governance framework, the ever-present threat of a cyber-attack, data breach, or other security incident is pervasive. The increasingly sophisticated nature of the tactics used to circumvent IT security safeguards makes cybersecurity threats increasingly difficult to detect and respond to. While the Company does not believe its business strategy, results of operations, or financial condition have been materially adversely affected by any cybersecurity threats or incidents, there is no assurance that the Company will not be materially affected by such threats or incidents in the future. Accordingly, the Company will continue to monitor cybersecurity risks and strive to invest in and strengthen its cybersecurity infrastructure.
ITEM 1C. CYBERSECURITY The Company recognizes the importance of securing its information, devices, and data and the IT systems it relies on to conduct its business. The Company has established its Network, Information, and Data Security Policy Guidelines (the “NIDSP Guidelines”) designed to protect the integrity and confidentiality of data and information belonging to or being exchanged by the Company and its employees, partners, customers, service providers, and suppliers and to safeguard that information and the Company’s IT infrastructure from unauthorized access, use, disclosure, alteration, and destruction. Risk Management and Strategy The protections, procedures, and controls set forth in the NIDSP Guidelines demonstrate the Company’s attention to and prioritization of cybersecurity as a component of its overall strategy and system for managing risks. The NIDSP Guidelines include five policies described below, that together define the Company’s strategy and practices for managing cybersecurity threats and mitigating cybersecurity risks. ● Physical Security Policy (the " PSP " ). The PSP establishes guidelines related to selecting IT operation sites, designating security zones, using, inspecting, and storing IT Assets, designing restricted-access and security controls, and monitoring compliance with safety and security standards. The goal of the PSP is to minimize risks of damage, destruction, unauthorized access, inadvertent disclosure, misuse, loss, or theft of the Company’s IT Assets. In accordance with the PSP, the Company: (i) evaluates IT operation sites based on their susceptibility to natural disasters, crime and theft, and unauthorized access; (ii) requires the use of keycards or biometrics in order to enforce security zones and give users the least amount of access required to do their jobs; (iii) requires systems and devices that store confidential data to be maintained and protected in accordance with the Company’s Confidential Data Policy; and (iv) requires visitors at the Company’s office to complete a sign-in log, wear a visitor badge, and be escorted by a designated employee at all times. ● Network Security Policy (the " NSP " ). The NSP aims to protect the integrity of the Company’s data by securing the systems and devices that make up the Company’s network infrastructure. Pursuant to the NSP, the Company: (i) enforces strict password-construction criteria for network devices; (ii) requires employees to verify their identities using multi-factor authentication to access internal resources; (iii) maintains and reviews logs from application services, network devices, and critical devices and requires the retention of logs in accordance with the Company’s Retention Policy; (iv) implements and configures firewall technology to filter both inbound and outbound network connections; (v) authorizes the IT Manager to determine the extent and scope of external security testing to be performed; (vi) establishes a software-use policy; and (vii) requires antivirus and anti-malware software to be used and timely patched and updated on any Company-provided devices. ● Backup Policy. The Company’s Backup Policy applies to all data stored on Company systems. The Backup Policy specifies the types of data and information considered to be critical to the Company’s operations and thus required to be backed up, establishes a backup schedule that is necessary for successful data recovery, and implements procedures for the off-site rotation, storage, and retention of backups. The Backup Policy also establishes the Company’s data-restoration procedures and mandates the periodic testing of those procedures. ● Remote Access Policy (the " RAP " ). The RAP defines the Company’s standards for accessing IT resources from outside the Company’s network, such as when an employee is working remotely. Pursuant to the RAP, remote access is only permitted if accomplished through secure, Company-provided means. The Company’s uses remote-access software designed to guard against unauthorized access using traffic encryption during transmission and firewall protections. ● Confidential Data Policy (the " CDP " ). The CDP governs the handling, storage, transmission, destruction, and protection of confidential data. Pursuant to the CDP, confidential data must be securely stored, removed from common areas, properly marked as confidential data, protected with strong encryption if being transmitted, and destroyed by means that make recovery impossible. Employees who are given access to confidential data are required to immediately notify their supervisor if they suspect any misuse or unauthorized disclosure of confidential information. The Company’s NIDSP Guidelines and policies apply not only to the Company’s employees and consultants but also to any third parties that access or utilize the Company’s information and systems. Such third parties may include the Company’s service providers, customers, suppliers, contractors, consultants, and any other individuals the Company conducts business with. The IT infrastructure that the Company has developed in accordance with the NIDSP Guidelines is designed to monitor both internal and external cybersecurity risks. The NIDSP Guidelines equip the Company with the tools and systems necessary to recognize, address, and protect against risks associated with its third -party interactions. Cybersecurity Governance The Company’s IT Manager and executive team is responsible for the day-to-day management of cybersecurity risks, while the Company’s Board of Directors has responsibility for oversight of risk management. As part of the Company’s framework for cybersecurity risk oversight and governance, the Company’s network, information, and data-security policies set forth in the NIDSP Guidelines are enforced by the Company’s IT Manager and/or its executive team. The IT Manager is an employee designated by the Company to manage the Company’s security policies and program. The IT Manager is tasked with ensuring that the Company maintains compliance with the Company’s security policies and any applicable security regulations. The IT Manager is responsible for: (i) implementing the Company’s security policies; (ii) disseminating the Company’s security policies to all employees; (iii) establishing a training program for all employees and users covered by the Company’s IT security policy to notify them of the Company’s security policies, train and re-train them to comply with the Company’s IT security program, and educate them on the importance of data security; (iv) performing any ongoing testing or analysis of the Company’s security infrastructure, policies, and procedures; and (v) updating the NSP and any other policies and guidelines as needed to comply with applicable regulations and to stay up to date with the changing IT security landscape. The IT Manager works closely with the Company’s management and executive team to determine the Company’s IT-related needs, to evaluate the sufficiency of the Company’s data-governance policies and practices, to keep the Company’s management informed of notable cybersecurity-related updates, to review its security-related policies, and to identify ways to strengthen the systems and procedures implemented by the Company to detect, assess, and manage data risks. In the event of the detection of an actual or suspected cybersecurity incident, the Company’s IT Team, lead by the IT Manager, assesses the incident as “minimal”, “low”, “moderate” or “high”. Incidents assessed at a minimal or low risk are reported to Company’s management and the Executive Chairman of the Board and the Executive Chairman of the Board may share this information with the Board. Incidents assessed at a moderate or high risk are reported to Company’s management, the Executive Chairman of the Board, and the Company’s Board of Directors. Notwithstanding the Company’s cybersecurity-related policies, procedures, and governance framework, the ever-present threat of a cyber-attack, data breach, or other security incident is pervasive. The increasingly sophisticated nature of the tactics used to circumvent IT security safeguards makes cybersecurity threats increasingly difficult to detect and respond to. While the Company does not believe its business strategy, results of operations, or financial condition have been materially adversely affected by any cybersecurity threats or incidents, there is no assurance that the Company will not be materially affected by such threats or incidents in the future. Accordingly, the Company will continue to monitor cybersecurity risks and strive to invest in and strengthen its cybersecurity infrastructure.

Company Information