Pulmatrix, Inc. - (PULM)
10-K Filing Date: March 28, 2024
We operate in the biopharmaceutical industry, which is subject to various cybersecurity risks that could adversely affect our business, financial condition, and results of operations, including intellectual property theft, fraud, extortion, harm to employees or customers, violation of privacy laws and other litigation and legal risk, and reputational risk. We recognize the critical importance of developing, implementing, and maintaining robust cybersecurity measures to safeguard our information systems and protect the confidentiality, integrity, and availability of our data. We currently have security measures in place to protect information and prevent data loss and other security breaches, including a cybersecurity risk assessment program. Both management and the board of directors are actively involved in the continuous assessment of risks from cybersecurity threats, including prevention, mitigation, detection, and remediation of cybersecurity incidents.
We have established policies and processes for assessing, identifying, and managing material risk from cybersecurity threats, and have integrated these processes into our overall risk management systems and processes. We routinely assess material risks from cybersecurity threats, including any potential unauthorized occurrence on or conducted through our information systems that may result in adverse effects on the confidentiality, integrity, or availability of our information systems or any information residing therein.
Our current cybersecurity risk assessment program includes identification of reasonably foreseeable internal and external risks, the likelihood and potential damage that could result from such risks, and the sufficiency of existing policies, procedures, systems, and safeguards in place to manage such risks. The program outlines governance, policies and procedures, and technology we use to oversee and identify risks from cybersecurity threats and is informed by previous cybersecurity incidents we have observed in our industry.
Following these risk assessments, we re-design, implement, and maintain reasonable safeguards to minimize identified risks; reasonably address any identified gaps in existing safeguards; and regularly monitor the effectiveness of our safeguards. Primary responsibility for the day-to-day assessment and management of risks from cybersecurity, including the prevention, mitigation, detection, and remediation of cybersecurity incidents, rests with an IT consultant who reports to management.
As part of our overall risk management system, we monitor and test our safeguards and train our employees on these safeguards. Personnel at all levels and departments are made aware of our cybersecurity policies through trainings.
We engage consultants, or other third parties in connection with our risk assessment processes. These service providers assist us to design and implement our cybersecurity policies and procedures, as well as to monitor and test our safeguards. We require each third-party service provider to certify that it has the ability to implement and maintain appropriate security measures, consistent with all applicable laws, to implement and maintain reasonable security measures in connection with their work with us, and to promptly report any suspected breach of its security measures that may affect our company.
One of the key functions of our board of directors is informed oversight of our risk management process, including risks from cybersecurity threats. Our board of directors is responsible for monitoring and assessing strategic risk exposure, and our executive officers are responsible for the day-to-day management of the material risks we face. Our board of directors administers its cybersecurity risk oversight function directly as a whole, as well as through the audit committee.
35 |
To date, no cybersecurity incident (or aggregation of incidents) or cybersecurity threat has materially affected our results of operations or financial condition. However, an actual or perceived breach of our security could damage our reputation, interfere with the progress of our clinical trials, interfere with our efforts to pursue regulatory approvals for our product candidates, or subject us to third-party lawsuits, regulatory fines or other actions or liabilities, any of which could adversely affect our business, operating results or financial condition. We have attempted to preemptively mitigate the financial impact of any cybersecurity incident and currently maintain a cyber liability insurance policy. However, our cyber liability insurance may be inadequate or may not be available in the future on acceptable terms, or at all. In addition, our cyber liability insurance policy may not cover all claims made against us, and defending a suit, regardless of its merit, could be costly and divert management’s attention from our business and operations. For further information regarding risks from cybersecurity threats, please refer to “Item 1A. RISK FACTORS—Risks Related to Our Business”.