|
Cybersecurity Risk Management and Strategy Disclosure
|12 Months Ended
Dec. 31, 2024
|Cybersecurity Risk Management, Strategy, and Governance [Line Items]
|Cybersecurity Risk Management Processes for Assessing, Identifying, and Managing Threats [Text Block]
|
At SOPHiA GENETICS, cybersecurity risk management is an integral part of our enterprise risk management program. Our cybersecurity risk management program is derived from the ISO27001 family of standards and underpins our Information Security Management System (“ISMS”) framework. This determines how we design our polices, guidelines, controls, and best practices to manage the organization’s information security risks while permitting us to leverage NIST, STRIDE, and SANS frameworks to inform our handling of cybersecurity threats and incidents. Additionally, we are certified in accordance to and maintain our cybersecurity framework consistent with ISO 27001 standards.
The scope of applicability includes our globally accessible cloud-native solution offering along with all physical associated geographical locations: Switzerland, the U.S., and France. This is designed to achieve comprehensive global risk coverage across operations, application development, wet-lab analysis, and R&D. Many of these capabilities are delivered in-house, however third-party services are engaged in a modest capacity to support specific activities, such as security operations center capabilities and annual penetration testing. Where engaged, the organization has vendor management procedures in place that require cross-functional participation from the areas of Quality, Procurement, Regulatory, Legal, and Cybersecurity. These procedures are also interlinked directly with cybersecurity’s ISMS.
Our framework includes tools and processes to identify and assess the severity of cybersecurity threats and incidents including, but not limited to, data loss, theft, and system penetration. Additionally our framework allows
us to identify if the threat or incident is associated with a third-party provider, dynamically implementing cybersecurity countermeasures and mitigation strategies and informing management and our board of directors of material cybersecurity threats and incidents
The cybersecurity team is further responsible for assessing our cybersecurity risk management program and communicating these risks to senior leadership and the Board. Although the assessment is solely performed within the cybersecurity team, external engagements influence such determination e.g.:
–Annual penetration testing and Tabletop exercises
–Quarterly phishing exercises
–Monthly SOC read-out calls
–External threat feeds
–Cyber insurance evaluation
–External Audit activities (ISO27001, ISO15485)
–Board and Executive team feedback
The cybersecurity team is also responsible for providing all employee training, awareness, and education. It performs this by carrying out:
–Quarterly phishing exercises
–Digital awareness campaigns through intranet posts, email updates, digital presentations
–Reach-out engagements to cross-functional teams aligned to their delivery schedules.
|Cybersecurity Risk Management Processes Integrated [Flag]
|true
|Cybersecurity Risk Management Processes Integrated [Text Block]
|At SOPHiA GENETICS, cybersecurity risk management is an integral part of our enterprise risk management program. Our cybersecurity risk management program is derived from the ISO27001 family of standards and underpins our Information Security Management System (“ISMS”) framework. This determines how we design our polices, guidelines, controls, and best practices to manage the organization’s information security risks while permitting us to leverage NIST, STRIDE, and SANS frameworks to inform our handling of cybersecurity threats and incidents. Additionally, we are certified in accordance to and maintain our cybersecurity framework consistent with ISO 27001 standards.
|Cybersecurity Risk Management Third Party Engaged [Flag]
|true
|Cybersecurity Risk Third Party Oversight and Identification Processes [Flag]
|true
|Cybersecurity Risk Materially Affected or Reasonably Likely to Materially Affect Registrant [Flag]
|false
|Cybersecurity Risk Board of Directors Oversight [Text Block]
|Our board of directors has overall oversight responsibility for our risk management and delegates cybersecurity risk management oversight to the audit committee of the board of directors. The audit committee is responsible for ensuring that management has processes in place designed to identify and evaluate cybersecurity risks to which the company is exposed and implement processes and programs to manage cybersecurity risks and mitigate cybersecurity incidents. The audit committee also reports material cybersecurity risks to our full board of directors.
|Cybersecurity Risk Board Committee or Subcommittee Responsible for Oversight [Text Block]
|The audit committee is responsible for ensuring that management has processes in place designed to identify and evaluate cybersecurity risks to which the company is exposed and implement processes and programs to manage cybersecurity risks and mitigate cybersecurity incidents.
|Cybersecurity Risk Process for Informing Board Committee or Subcommittee Responsible for Oversight [Text Block]
|The audit committee also reports material cybersecurity risks to our full board of directors.
|Cybersecurity Risk Role of Management [Text Block]
|Management is responsible for identifying, considering and assessing material cybersecurity risks on an ongoing basis, establishing processes to ensure that such potential cybersecurity risk exposures are monitored, putting in place appropriate mitigation measures and maintaining cybersecurity programs. Our cybersecurity programs are under the direction of our Chief Technology Officer (“CTO”), who has over 20 years of technology leadership, receives reports from our cybersecurity team and monitors the prevention, detection, mitigation, and remediation of cybersecurity incidents. Our dedicated personnel hold a multitude of certifications, including but not limited to Certified information systems security professional (“CISSP”), Certified Ethical Hacker, and experienced information systems security professionals and information security managers with many years of experience. Management, including the CTO and our cybersecurity team, update the audit committee on the company’s cybersecurity programs, material cybersecurity risks and mitigation strategies and provide cybersecurity reports annually that cover, among other topics, such as, key performance metrics, developments in cybersecurity and updates to the company’s cybersecurity programs and mitigation strategies.
|Cybersecurity Risk Management Positions or Committees Responsible [Flag]
|true
|Cybersecurity Risk Management Positions or Committees Responsible [Text Block]
|Management is responsible for identifying, considering and assessing material cybersecurity risks on an ongoing basis, establishing processes to ensure that such potential cybersecurity risk exposures are monitored, putting in place appropriate mitigation measures and maintaining cybersecurity programs. Our cybersecurity programs are under the direction of our Chief Technology Officer (“CTO”)
|Cybersecurity Risk Management Expertise of Management Responsible [Text Block]
|Chief Technology Officer (“CTO”), who has over 20 years of technology leadership
|Cybersecurity Risk Process for Informing Management or Committees Responsible [Text Block]
|Chief Technology Officer (“CTO”), who has over 20 years of technology leadership, receives reports from our cybersecurity team and monitors the prevention, detection, mitigation, and remediation of cybersecurity incidents.
|Cybersecurity Risk Management Positions or Committees Responsible Report to Board [Flag]
|true
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef