KALA BIO, Inc. - (KALA)

10-K Filing Date: March 29, 2024
Item 1C. Cybersecurity

We have certain processes for assessing, identifying and managing cybersecurity risks, which are designed to help protect our information assets and operations from internal and external cyber threats, as well as secure our networks and systems. Such processes, which are effected principally through an outside information technology management/cybersecurity consultant and a computer security firm that we have engaged, include procedural and technical safeguards, response plans, incident simulations and routine review of our policies and procedures to identify risks and refine our practices. Our computer security firm serves as our managed security services provider, and its services include managed detection and response, incident management, managed security awareness and a quarterly risk assessment. Our information technology management/cybersecurity consultant has responsibility for managing detection and incident response in consultation with out our managed security services provider. We considered the internal risk oversight programs of our information technology management/cybersecurity consultant and our managed security services provider before engaging them. As part of our overall risk mitigation strategy, we also maintain cyber insurance coverage; however, such insurance may not be sufficient in type or amount to cover us against claims related to security breaches, cyber-attacks and other related breaches.

While we have not experienced any material losses relating to cyber-attacks, in 2019 we were the subject of a successful phishing attempt. We do not believe that there are currently any known risks from cybersecurity threats that are reasonably likely to materially affect us or our business strategy, results of operations or financial condition.

The Audit Committee of our Board of Directors, or the Audit Committee, provides direct oversight over cybersecurity risk. Our Audit Committee and Board of Directors receive periodic updates from our Chief Legal Officer and Chief Compliance Officer, together with our outside information technology management/cybersecurity consultant, and the Audit Committee and Board of Directors is notified between such updates regarding significant new cybersecurity threats or incidents.

Our Chief Legal Officer and Chief Compliance Officer is responsible for the management oversight of company-wide cybersecurity strategy, policy, standards and processes and works across relevant departments to assess and help prepare us to address cybersecurity risks. Our Chief Legal Officer and Chief Compliance Officer has many years of experience overseeing company-wide legal and compliance risks, including at multiple publicly-traded companies. Our Chief Legal Officer and Chief Compliance Officer is supported by our outside information technology management/cybersecurity consultant and our managed security services provider.

We have also established a cross-functional Cybersecurity Committee led by our Chief Legal Officer and Chief Compliance Officer serving as the chair and consisting of senior leaders within our organization. The Cybersecurity Committee, with assistance from our outside information technology management/cybersecurity consultant, oversees our cybersecurity policy, which includes risk assessment, investments in cybersecurity technologies, cybersecurity insurance and review of relevant information technology policies.

In an effort to deter and detect cyber threats, we provide all employees, including part-time and temporary employees, with periodic cybersecurity training. This training program covers timely and relevant topics, including social engineering, phishing, password protection, confidential data protection, asset use and mobile security, and educates employees on the importance of reporting all cybersecurity incidents immediately. We also use technology-based tools to mitigate cybersecurity risks and to bolster our employee-based cybersecurity programs.