CalciMedica, Inc. - (CALC)
10-K Filing Date: March 28, 2024
Risk management and strategy
We have implemented and maintain information security processes designed to identify, assess and manage material risks from cybersecurity threats to our critical computer networks, third party hosted services, communications systems, hardware and software, and our critical data, including intellectual property, confidential information that is proprietary, strategic or competitive in nature, and our clinical trial data (“Information Systems and Data”).
Depending on the environment and system, we implement and maintain various technical, physical, and organizational measures, processes, standards and policies designed to manage and mitigate material risks from cybersecurity threats to our Information Systems and Data, including, for example: an incident response and disaster recovery plan, disaster recovery testing, data encryption for certain data, asset management, system monitoring and multi-factor authentication for certain systems, employee training and cybersecurity insurance.
We use a third-party information technology consultant to help identify, assess and manage the Company’s cybersecurity threats and risks. This consultant reports to and works with our management team, including our Chief Scientific Officer and President and Chief Operating Officer to identify and assess risks from cybersecurity threats by monitoring and evaluating our threat environment using various methods and tools including for example by subscribing to reports and services that identify cybersecurity threats, leveraging certain system monitoring tools, and leveraging tools provided through Microsoft Office 365.
Our assessment and management of material risks from cybersecurity threats are taken into account as part of the Company’s risk management processes. For example, our senior management works with our information technology consultant to evaluate material risks from cybersecurity threats against our overall business objectives.
We use third-party service providers, including cybersecurity consultants, to assist us from time to time to identify, assess, and manage material risks from cybersecurity threats.
We use third-party service providers to perform a variety of critical functions throughout our business, such as hosting providers, application providers, contract research organizations, contract manufacturing organizations, and other third-party service providers. We review the cybersecurity risks associated with the use of these providers. Depending on the nature of the services provided, the sensitivity of the Information Systems and Data at issue, and the identity of the provider, our vendor management process may involve different levels of assessment and due diligence designed to help identify cybersecurity risks associated with a vendor, as well as the imposition of security related contractual obligations on the vendor.
For a description of the risks from cybersecurity threats that may materially affect the Company and how they may do so, see our risk factors under Part 1. Item 1A. Risk Factors in this Annual Report on Form 10-K, including “Our information technology systems, or those of our CROs or other contractors or consultants, may fail or suffer security breaches, loss or leakage of data, and other disruptions, which could result in a material disruption of our product candidates’ development programs, compromise sensitive information related to our business or prevent us from accessing critical information, potentially exposing us to liability or otherwise adversely affecting our business.”
103
Governance
Our Board of Directors addresses the Company’s cybersecurity risk management as part of its general oversight function. The Audit Committee of the Board of Directors is responsible for overseeing the Company’s cybersecurity risk management processes, including oversight and mitigation of risks from cybersecurity threats.
Our cybersecurity risk assessment and management processes are implemented and maintained by certain Company management, including our Chief Scientific Officer, President and Chief Operating Officer, Vice President Finance and General Counsel who also serves as our compliance officer. These members of management have prior work experience in various roles involving managing information security programs and are informed about and monitor the prevention, mitigation, detection and remediation of cybersecurity incidents.
Our Chief Scientific Officer and our President and Chief Operating Officer are responsible for engaging appropriate personnel and companies, helping to integrate cybersecurity risk considerations into the Company’s overall risk management strategy, and communicating key priorities to relevant employees and personnel. Our President and Chief Operating Officer is also responsible for managing budgets, helping prepare for cybersecurity incidents, approving cybersecurity processes, and reviewing security assessments and other security-related reports.
We have adopted a Cybersecurity Incident Response Policy which is designed to escalate certain cybersecurity incidents to a Cybersecurity Incident Management Team consisting of our Chief Scientific Officer, President and Chief Operating Officer, General Counsel and our information technology consultant. Depending on the circumstances, cybersecurity incidents are reported to our Chief Executive Officer and Chief Financial Officer. Senior management works to help the Company mitigate and remediate cybersecurity incidents of which they are notified in addition to notifying the Audit Committee of the Board of Directors, as appropriate.
The Audit Committee of the Board of Directors receives periodic reports as needed from management concerning the Company’s significant cybersecurity threats and risk and the processes the Company has implemented to address them. The Audit Committee also has access to various reports, summaries or presentations related to cybersecurity threats, risk and mitigation.