Humacyte, Inc. - (HUMA)
10-K Filing Date: March 28, 2024
Item 1C. Cybersecurity.
Cybersecurity Risk Management and Strategy
We have certain processes for assessing, identifying, and managing material risks from cybersecurity threats, which are integrated into our enterprise risk management processes. Specifically, we have processes for:
•Identifying and Managing Cybersecurity Risks — We have implemented a cross-functional approach to assessing, identifying and managing material cybersecurity threats and incidents. We periodically review, assess, update and test our policies, standards, processes and practices in a manner intended to address cybersecurity threats and events. The results of such reviews, assessments and tests are evaluated by management and periodically reported to our Audit Committee of the Board of Directors, and our Board of Directors.
•Technical Safeguards — We have integrated cybersecurity into our overall information technology operations and designed our processes and systems to help protect our information assets and operations from internal and external cyber threats, protect employee and patient information from unauthorized access or attack as well as secure our networks and systems.
•Incident Response and Recovery Planning — To better facilitate our cybersecurity program, our cybersecurity team works collaboratively across our Company to implement programs designed to protect our information systems from cybersecurity threats and to promptly respond to any material cybersecurity incidents. We conduct regular tabletop exercises, including incident simulations to test these plans and ensure personnel are familiar with their roles and responsibilities in a response scenario.
•Third-Party Risk Management — We maintain a risk-based approach to identifying and overseeing material cybersecurity threats presented by third parties and the systems of third parties that could adversely impact our business in the event of a material cybersecurity incident affecting those third-party systems.
•Education and Awareness — We provide training regarding cybersecurity threats as a means to equip our employees, directors and consultants with tools to make employees, directors and consultants aware of and to address cybersecurity threats, and to communicate our evolving information security policies, standards, processes and practices. We also use technology-based tools to mitigate cybersecurity risks and to bolster our employee-based cybersecurity programs.
92
We adjust our cybersecurity policies, standards, processes, and practices as necessary based on the information provided by our assessments, audits and reviews. Such processes include (i) procedural and technical safeguards, (ii) response plans, (iii) annual tests on our systems, (iv) incident simulations and (v) routine review of our cybersecurity policies and procedures to identify risks and improve our practices. We engage certain external cybersecurity firms to enhance our cybersecurity oversight. We include confidentiality provisions in all contracts with third-party service providers, and data protection provisions in certain contracts with third-party service providers where applicable, to help protect us and our employees and patients from any related vulnerabilities.
Governance
Our Board of Directors is responsible for exercising oversight of management’s identification and management of, and planning for, risks from cybersecurity threats. While the full Board of Directors has overall responsibility for risk oversight, the Board of Directors has delegated oversight responsibility related to risks from cybersecurity threats to the Audit Committee. The Audit Committee reports to the Board of Directors at least annually, and notifies the Board of Directors as necessary regarding significant new cybersecurity threats or incidents. The Audit Committee of our Board of Directors meets not less than annually to discuss our approach to overseeing cybersecurity threats with management, including with members of our internal cybersecurity team. Any material cybersecurity incidents are promptly reported by management to our Audit Committee.
We use an internal management committee to run our information and technology function, comprised of information technology, finance, and legal employees, and led by our Vice President – Information Technology and Automation, and Chief Financial Officer, each of whom have experience managing the information and technology functions, and cybersecurity safeguards, at multiple prior companies. Through ongoing communications with this management committee, senior management is informed about and monitors the prevention, detection, mitigation and remediation of cybersecurity threats and incidents in real-time and reports such threats and incidents to the Audit Committee, when appropriate. Management updates the Audit Committee annually with an overview of our cybersecurity threat risk management and strategy processes. Members of the Audit Committee are also encouraged to regularly engage in ad hoc conversations with management on cybersecurity-related topics and discuss any updates to our cybersecurity risk management and strategy programs. The Audit Committee is notified between such updates regarding material new cybersecurity threats or incidents that meet pre-established reporting thresholds and any ongoing updates regarding any risk, as needed.
We have not identified any risks from cybersecurity threats, including as a result of any previous cybersecurity incidents, that have materially affected or are reasonably likely to materially affect our company, including our business strategy, results of operations or financial condition. However, as discussed under “Risk Factors” in Part I, Item 1A of this Annual Report on Form 10-K, cybersecurity threats could pose multiple risks to us. As cybersecurity threats become more frequent, sophisticated, and coordinated, it is reasonably likely that we will be required to expend greater resources to continue to modify and enhance our protective measures.