CYNERGISTEK I N V E S T O R P R E S E N T A T I O N NYSE AMERICAN: - - PowerPoint PPT Presentation

NYSE AMERICAN: CTEK

CYNERGISTEK

I N V E S T O R P R E S E N T A T I O N

2

SAFE HARBOR STATEMENTS

This presentation contains, and our officers and representatives may from time to time make, “forward-looking statements” within the meaning of the safe harbor provisions of the U.S. Private Securities Litigation Reform Act of 1995. Forward-looking statements can be identified by words such as: “anticipate,” “intend,” “plan,” “goal,” “seek,” “believe,” “project,” “estimate,” “expect,” “strategy,” “future,” “likely,” “may,” “should,” “will” and similar references to future periods. Examples of forward-looking statements include, among others, statements we make (herein or otherwise) regarding the size of the potential market for our services; the number of potential customers/clients for our services; plans and strategies of CynergisTek and its subsidiaries for future growth and performance; market acceptance of our business model; our ability to integrate acquisitions and merged companies; and timelines relating to growth, milestones, and strategic focus. Forward-looking statements are neither historical facts nor assurances of future performance. Instead, they are based only on management’s current beliefs, expectations and assumptions regarding the future of our business, future plans and strategies, projections, anticipated events and trends, the economy and other future conditions. Because forward-looking statements relate to the future, they are subject to inherent uncertainties, risks and changes in circumstances that are difficult to predict and many of which are outside of our control. Our actual results and financial condition may differ materially from those indicated in the forward-looking statements. Therefore, you should not rely on any of these forward-looking

• statements. Important factors that could cause our actual results and financial condition to differ materially from those indicated in the forward-

looking statements include, among others, the risk factors discussed throughout Part II, Item 7. Management’s Discussion and Analysis of Financial Condition and Results of Operations, and in Part I, Item 1A. Risk Factors of our Annual Report on Form 10-K for the year ended December 31, 2019; and throughout Part I, Item 2. Management’s Discussion and Analysis of Financial Condition and Results of Operations of our Quarterly Reports on Form 10-Q for the quarters ending March, June and September 31. Any forward-looking statement made by us in this presentation is based only on information currently available to us and speaks only as of the date on which it is made. We expressly disclaim any obligation to publicly update any forward-looking statement, whether written or oral, that may be made from time to time, whether as a result of new information, future developments, or otherwise.

3

§ Unrivaled industry expertise in healthcare, covering 1,000+ healthcare provider locations and business associates, and partnered with 2 of the 10 largest health systems in the US; a top medical device manufacturer; and 4 Electronic Health Records Companies § Revenue is packaged as a recurring managed service with significant upsell

• pportunity for re-occurring consulting and professional services

§ Trusted advisor enabling clients to protect and support patient safety and care operations § Leadership team with experience across the security and healthcare industry including former auditors, Healthcare CIO’s and leaders at Symantec, Cylance and IBM Security

CynergisTek is the premier provider of cybersecurity managed services and security & compliance consulting to healthcare and other regulated industries

Founded in 2004

Est.

115 Employees Cont’d YoY Growth in Managed Service Rev.

$

$21.4M 2019A Revenue

What makes us unique? Industry Accolades: Top Performing Services

KLAS

Cybersecurity

KLAS

HIT Advisory

KLAS

Tech Services

CYNERGISTEK AT A GLANCE

24%

Of managed service clients have 2 or more managed services

85%+

2019 Managed Service Renewal Rate

~56%

Revenue driven by recurring Managed Services segment in 2019E

$

~44%

Revenue driven by re-occurring Consulting Segment, and Professional Services

330 Customers Nationwide 1k+ Healthcare Locations 50%+

Of clients using 2 or more service

• fferings

145

Managed Service Clients

4

HEALTHCARE CYBERSECURITY IS A LARGE AND GROWING MARKET OPPORTUNITY

Top 10

Most likely industry to be attacked

1 in 8

Americans have had their medical records exposed in data breaches

65%

Costlier data breaches than any

• ther industry

$6.5M or $429/record

Average cost of Healthcare data breach

59%

Of attacks in Healthcare come from the inside

32M

Healthcare Records Breached in First Half of 2019

$14.4B

Anticipated Healthcare Cybersecurity Market by 2024

118%

Increase in Ransomware attacks during the first quarter of 2019

$4B

Estimated Healthcare Data Breach Cost in 2019 Increasing Skill and Resource Gap Increasing Volume and Cost of Attacks Exponential Risk Immature Cybersecurity Adoption in Healthcare

5

WHAT SETS CYNERGISTEK APART?

Proven client growth strategy through trusted advisor relationships Potential to leverage engagement insights to be positioned for future

• pportunities

Codified best practices and deep reservoir of experience drives efficiencies of engagements Teams led by nationally recognized experts in their field Unique Combination of Cybersecurity, Privacy, and Compliance knowledge with Healthcare and Regulated industry experience

CynergisTek brings expertise that is both Cybersecurity & Compliance specific to healthcare & other regulated industries

6

Managed Services, 56% Professional and Consulting, 44%

SOLUTIONS OVERVIEW

COMPLETE SERVICE OFFERING Vendor Security Management Medical Device Security Management Patient Privacy Monitoring Service Risk Assessments Services

Managed Services Professional & Consulting Services

Red/Purple Teaming Ransomware Assessment Cloud Security Assessment GDPR/Data Privacy Compliance Security Control Validation EPCS Services IT Audit Services Endpoint Security 20+ Others Incident Response Readiness Exercise

7

MANAGED SERVICES SNAPSHOT

Compliance Assist Partner Program

Annual Assessments § Annual Review to identify security gaps through several assessments & analyses Internal and External Assessment § External: Quarterly § Internal: Bi-Annually

Patient Privacy Monitoring Medical Device Security

Experienced professionals review documents, processes, and procedures impacting research, and identify possible gaps against HIPAA requirements § Annual review to identify security gaps through several assessments & analyses § Regularly review user activity within designated ePHI applications Medical Device Security Technical Assessment § Comprehensive inventory of networked devices and associated vulnerabilities Medical Device Security Assessment § Evaluation of security controls & an identification

• f gaps or vulnerabilities

Medical Device Security Management Strategy § Strategy articulating different risk categories and remediation roadmap

Vendor Security Management Managed Security Services*

Evaluate and monitor vendors on a regular and

• ngoing basis

§ Comprehensive assessments § Status Updates on vendor participation and escalation of issues § Quarterly Program Report covering high-level

• f the vendor program, including

recommendations Complete security monitoring solution and strategic security partnership § Cloud, Endpoint, SaaS, and Network § 24x7 detection and response with trained cyber experts § Assessment and remediation support

*Currently serviced via referral

8 Electronic Prescription and Control Substances Audits

Assess an organization’s cyber resilience to identify if the security controls in place are effective and working. This service identifies gaps

• r oversights in security technology and process. Validating your

security investment, if your organization has outsourced part of you program to a managed security services provider (MSSP). Emphasis on the simulation of attacks that happen every day in corporate

• networks. Perform passive host/service discovery and enumeration, using a

variety of tools and comprehensive manual analysis. Followed by precise targeted attacks against the services identified as potential vulnerabilities.

PROFESSIONAL & CONSULTING SERVICES SNAPSHOT*

Slide 8

Experts on-staff deliver high-end, high margin services to both large organizations and SMEs

Pen Test & Red/Purple Teaming Security Control Validation Ransomware Assessment Endpoint Security

Using predictive modeling, we identify and prevent threats – both known and unknown. Our team of security analysts then takes this threat data and creates actionable insights for your internal team. Certifies EPCS software vendor’s solutions, and ensures compliance

Data Privacy

Privacy Impact Assessments, GDPR Compliance Assessments, Social Median Governance, and others

IT Audit Services

Third Party Risk Assessments, Medical Device Security, ERP Security, Security Architecture, Cloud Security

Cloud Security Assessments

* Not all services shown Helps organizations build strong security and response practices to better prepare for a ransomware-related incident. This includes a thorough review of existing controls and practices that provide protection against, reduce the spread of, and increase the speed to respond and recover from a ransomware attack. Determine the levels of cyber risk, potential loss, disruption, or exposure of your cloud-based assets to better understand your cyber risk posture; building a roadmap for risk reduction.

9

TRUSTED NATIONAL BUSINESS ACROSS DIVERSE INDUSTRIES**

*Covered entities are defined in the Health Insurance Portability and Accountability Act (HIPAA) rules as (1) health plans, (2) health care clearinghouses, and (3) health care providers who electronically transmit any health information in connection with transactions for which the department of Health and Human Services (HHS) has adopted standards. **Does not include addition of recent acquisition of Backbone Consultants

Health Care Information Technology Consumer Discretionary Financials Other

Current Client Mix by Industry

• 19% of workforce has

military experience

• 86% of our employees

are remote covering 31 states

• 33% of our employees

are women

10

COMPETITION

RELATED COMPANIES Revenue* Healthcare Focus CynergisTek $21M Healthcare Deloitte $46B** None KPMG $29B* None HCI Group $160M* Healthcare EY $36B** None Secure Digital Solutions N/A None IBM $80B* None Atos $13B* Healthcare^ Impact Advisors $84M* Healthcare

*Estimated 2018 Revenues in US Dollars **Estimated 2019 Revenues in US Dollars ^Atos does not exclusively focus in healthcare, active in 21 industries KLAS Research is a healthcare IT data and insights company providing the industry with accurate, honest, and impartial research on the software and services used by providers and payers worldwide

Black Book Market Research 2019 CynergisTek Named Top Performer Cybersecurity Advisors and Consultants

11

CTEK SELECT PARTNERS AND ALLIANCES

12

FINANCIAL SNAPSHOT

COMPANY TICKER NYSE: CTEK UNITS: USD Price (as of 6/4/2020) $1.50 FD Shares Outstanding* 10.3M Market Cap $15.4M LTM Revenue* $20.7M Cash* $5.8M* Long- and Short-Term Debt* $1.7M

*Data as of Q1 2020

2018 2019 Q1 YTD 2019 Q1 YTD 2020

Managed Services Professional & Consulting Services

52% 39% 40% 33% $21.4M $5.7M $5.1M

Financial Highlights ($Millions) – Expanding New Revenue Lines to Focus on Growth

$21.3M

13 InvestorRelations@cynergistek.com cynergistek.com

NYSE AMERICA: CTEK

THANK YOU!

14

CYNERGISTEK’S MARKET OPPORTUNITY

$21.9B $24.3B $27.1B $30.1B $33.5B $37.3B 10 20 30 40 50 60 $70 2019 2020 2021 2022 2023 2024

Cybersecurity Consulting Market Opportunity ($B)

+ 1 1 % C A G R

$7.0B $8.1B $9.3B $10.8B $12.5B $14.4B 3 6 9 12 15 $18 2019 2020 2021 2022 2023 2024

Healthcare Cybersecurity Market Opportunity ($B)

~ 1 6 % C A G R

Large TAM, growing rapidly

Accelerated YoY Growth +11% CAGR due to an increase of cloud-based business applications and expanding IoT tools Increasing Regulation Non-compliance fines cost 2.7x the cost of compliance services There are now 52 unique breach disclosure laws in the United States Healthcare #1 Attacked Industry Under assault from advanced cyber threats and is the fastest growing segment for professional risk assessment and privacy services

15

INDUSTRY SNAPSHOT

Highly Targeted Industry

• Every year Healthcare is in the top ten most likely to be attacked industries1
• New research shows that 59% of all threat actors attacking the Healthcare industry come from the inside2
• One in eight Americans have had their medical records exposed in a data breach5

Highest Cost of a Data Breach

• New research shows that data breaches in Healthcare are 65% more costly than breaches in any other industry
• Average cost of a Healthcare data breach is $6.45M or $429/record3

Skills Gap to Address the Problem Continues to Widen

• 300,000 open security jobs in the United States and over 2 million world wide4
• Particularly problematic for health systems outside major metropolitan areas

Healthcare Remains Largely Unsophisticated with Information Security

• Only 26% of the healthcare market is using two factor authentication – less than half the rate of the rest of the industry
• Healthcare workers average 71 passwords per employee and reuse passwords across 10 systems on average6
• Networks are almost universally not segmented

Rise in Ransomware and Destructive Attacks has Kinetic Implications

• In the first 10 months of 2019, 140 local governments, police stations and hospitals have been held hostage by ransomware

attacks

• In September a California provider was forced to close as they could no longer access medical records8
• In October three hospitals in Alabama had to turn away patients due to a ransomware incident9

Increasing Regulatory Pressure in Adjacent Markets

• There are now 52 different breach disclosure laws in the United States and they are all different10
• Fines are becoming real with GDPR leading the way: British Airways was fined 229M Euro; two hospitals in Europe fined over

400,000 Euro11

• California Consumer Privacy Act comes into affect in 2020 and is modeled after GDPR
• First cybersecurity claims have been paid under the False Claims Act

16

THE SERVICES WE PROVIDE

COMPLIANCE ASSIST PARTNER PROGRAM (CAPP)

CAPP

OPTIONAL SERVICES CynergisTek also offers optional services that can be customized to meet a compliance program’s unique needs. ANNUAL ASSESSMENT An annual extensive review to identify security gaps through the combination

• f the following:
• Information Security Program

Assessment

• Technical Security Assessment
• Risk Analysis
• Architecture Assessment
• Wireless LAN Security Assessment
• MU EHR Security Controls

Assessment INTERNAL & EXTERNAL TESTING CynergisTek will conduct regular internal and external testing to uncover potential threats.

• External: Quarterly
• Internal: Bi-Annually

CAPP COMMUNITY CynergisTek Advisory Service addresses questions, concerns, and advice covering technology, program development and maintenance, and regulatory compliance matters. PERIODIC EXECUTIVE REVIEWS CynergisTek’s executive team leads workshops that are designed to:

• Review remediation progress
• Provide guidance on regulatory

changes and security threats

• Promote knowledge transference

Recurring Revenue model with Multi-year contracts

17

MAKE THE MOST OF YOUR PRIVACY MONITORING PROGRAM

THE SERVICES WE PROVIDE

PATIENT PRIVACY MONITORING AS A SERVICE (PPMS) CynergisTek collaborates with your organization to support functionality of your patient privacy monitoring tool.

PPMS

DESCRIPTION PPMS SELECT PPMS ELITE Audit Program Development ü ü Current & Future State Analysis ü ü Optimization Plan & End User Training ü ü Validation and Testing of Audit Tool ü ü Proactive Audit Reporting Analysis ü ü Incident Documentation and Escalation of Findings ü ü Audit Tool Optimization ü ü Standard Program Reports ü ü Reactive Audit Reports, Advanced Analysis, Advanced Program Reports and Advisory Services ü

*Some services may vary based on monitoring tool capabilities.

18

THE SERVICES WE PROVIDE

VENDOR SECURITY MANAGEMENT Evaluate and monitor vendors on a regular and ongoing basis. VSM ASSESSMENT APPROACH

• Initiation: Analyst gets notified of ticket and initiates assessment in RiskSonar
• Monitoring: Questionnaire/documentation request sent, and assessment progress

updated/monitored.

• Analysis: Analysis of vendor’s input conducted, and gaps identified upon

assessment submittal

• Reporting: Single Assessment Vendor Report created; client notified it is ready for

review within RiskSonar

• Next Steps: Vendors notified of remediation requirements/re-assessments
• High Risk Vendors: Client is notified of high-risk vendors – client uses Risk

Acceptance or Risk Exception process

• Risk Exception: If client approves risk exception, vendor is tagged and tracked for

annual renewal VSM DELIVERABLES

• Single assessment vendor with report outlining security gaps and risk rating
• Status Updates on vendor participation and escalation of issues
• Quarterly Program Report covering high-level of the vendor program including

recommendations

REDUCING THE SUPPPLY CHAIN RISK

VSM

19

THE SERVICES WE PROVIDE

SECURE AND PROTECT YOUR MEDICAL DEVICES

MEDICAL DEVICE SECURITY TECHNICAL ASSESSMENT A comprehensive inventory of networked medical devices and the associated vulnerabilities. MEDICAL DEVICE SECURITY ASSESSMENT An evaluation of security controls and an identification of gaps or vulnerabilities in the management practices for medical device security. MEDICAL DEVICE SECURITY MANAGEMENT STRATEGY A strategy articulating different risk categories and a remediation roadmap to address the different categories and the unique issues/vulnerabilities. MEDICAL DEVICE SECURITY PROGRAM MANAGEMENT Our service is built to address the security aspects, as it relates to each component of the medical device lifecycle including policy development, pre-acquisition procedures, implementation and security control setup, identifying and reporting vulnerabilities, and coordinating remediation in conjunction with the device maintenance schedule.

Medical Device Security

20

THE SERVICES WE PROVIDE

24/7 NETWORK THREAT MONITORING/ALERTING

MANAGED SECURITY SERVICES OFFERING Delivering a complete security monitoring solution and strategic security partnership with healthcare organizations CLOUD, ENDPOINT, SAAS & NETWORK

• Simple to deploy SaaS solution designed to co-manage

security with our healthcare client

• Native security for Cloud & SaaS Apps

CO-MANAGED & TRANSPARENT

• 24x7 detection & response with cyber experts trained in

cloud security

• Assigned analysts and industry focused teams maintains

continuity & awareness ASSESSMENT AND REMEDIATION SUPPORT

• Highly skilled experts deliver incident response & recovery on demand
• A remediation team, with seasoned security professionals to prioritize,

implement and execute the remediation plan.

• Proactive threat hunting, penetration testing and cyber training

complete the solution

Managed Security Services

21

THE SERVICES WE PROVIDE

RESOURCE & TALENT TO BRIDGE THE CYBER SKILLS GAP

CYBERSECURITY REMEDIATION

• Next steps after a security assessment
• On-demand seasoned security experts prioritize, implement and execute unique

remediation plan

• Short- and long-term remediation plan

CYBERSECURITY PROGRAM DEVELOPMENT

• Utilize best practice standards and guidelines to review, build, and implement

components of your security program

• Improve the effectiveness of a complex strategy
• Well-versed in many industry frameworks,

ensuring the alignment of policy charters, program playbooks, and process and procedure documents are a solid foundation STRATEGIC SECURITY STAFFING Alleviate the efforts to source and employ skilled talent for projects that are high priority.

• Virtual CISO and Privacy Officers
• Sourcing difficult roles to cost-effective solution
• Identified to align with your needs for short-term,

project specific, long-term, or temp-to-hire cybersecurity and privacy engagements

• Advisory services from resources recognized as subject matter experts in the

healthcare industry

Professional Services