Item 1C. Cybersecurity.

 

Cybersecurity Risk Management and Strategy

 

Candel has implemented cybersecurity risk management processes that are informed by industry standards in accordance with the scale of our business. Our cybersecurity risk management processes are designed to assess, identify and mitigate risks from current and emerging cybersecurity threats.

 

We use various tools and processes to accomplish these objectives, including policies and procedures, risk assessments, and testing. Further, we require our employees to participate in cybersecurity risk awareness trainings and phishing exercises.

 

Our cybersecurity risk management processes are supported by third-party service providers, including a managed services provider that assists the Company with, among other things, threat monitoring and cybersecurity incident response and escalation services. We rely on a third-party service provider to assist us with our cybersecurity practices, including for vulnerability assessments, penetration testing, and managing IT environments. Our process for onboarding new vendors with access to critical systems or data includes vendor questionnaires, contractual obligations, and if deemed appropriate, review of vendor audit reports.

 

Our incident management processes include reporting to senior management, including the Chief Financial Officer (CFO), Vice President of Regulatory and Quality Assurance, Chief Executive Officer, and GxP Systems Director, and, where appropriate, to the board of directors. To date, we have not identified any cybersecurity incidents or threats that have materially affected us or are reasonably likely to materially affect us, including our business strategy, results of operations, or financial condition. However, like other companies in our industry, we and our third-party vendors have from time-to-time experienced threats that could affect our information or systems. For more information, please refer to Item 1A, “Risk Factors,” in this annual report on Form 10-K.

 

Cybersecurity Governance

 

The board of directors has delegated oversight of the Company’s cybersecurity risk management program to the Audit Committee, including responsibilities for reviewing and discussing cybersecurity risks, implementing risk management programs, controls and procedures, and performing high level reviews of the threat landscape.

 

Our Senior Director, Information Technology (Senior Director, IT) is responsible for the strategic leadership and day-to-day management of our cybersecurity risk management program. The individual occupying this role has over thirty years of experience with information technology management and over five years of cybersecurity risk management.

 

---

Our Senior Director, IT engages in regular meetings with our third-party managed IT service provider and the Director, IT to review and assess our cybersecurity risk management processes. The Senior Director, IT reports such findings to our CFO who annually presents updates on cybersecurity risks, mitigation strategies, and, if necessary, incident response activities to our Audit Committee. Further, our Audit Committee updates the full board on matters relating to cybersecurity risk management, as necessary.