Acrivon Therapeutics, Inc. - (ACRV)
10-K Filing Date: March 28, 2024
Cybersecurity Risk Management and Strategy
We recognize the importance of assessing, identifying, and managing material risks associated with cybersecurity threats, as such term is defined in Item 106(a) of Regulation S-K. These risks include, among other things, operational risks; intellectual property theft; fraud; extortion; harm to employees; violation of privacy or security laws and other litigation and legal risk; and reputational risks. We have implemented several cybersecurity technologies, and controls and processes to aid in our efforts to assess, identify, and manage such risks.
We are subject to cybersecurity threat risks associated with our use of third-party service providers, including independent clinical investigators, contracted laboratories and contract research organizations. Cybersecurity considerations affect the selection and oversight of these third-party service providers.
We engage certain external parties, including cybersecurity and privacy firms and consultants, to provide IT support and cybersecurity oversight, and enhance our risk reduction abilities, including the engagement of a third-party to review our cybersecurity program to help identify areas for continued focus and improvement. We also use automated tools designed to monitor, identify, and address cybersecurity risks.
105
As of the date of this report, we have not identified cybersecurity threats, including as a result of any previous cybersecurity incidents, that have materially affected us, our business strategy, results of operation or financial condition. We are in the process of formalizing an incident response plan. For additional information regarding risks from cybersecurity threats, please refer to Item 1A, “Risk Factors,” of this Annual Report on Form 10-K.
Cybersecurity Governance
Our Head of Information Technology, who reports directly to the Chief Operating Officer, has day-to-day responsibility for preventing, mitigating and remediating cybersecurity threats and incidents. The individual currently serving in this role has two decades of experience in information technology and cybersecurity. Our Disclosure Committee evaluates the materiality of any threats and/or incidents to determine if there is any required disclosure. Our external SEC counsel is also apprised of certain threats and/or incidents that may occur and is available to advise management on any disclosure obligations.
Our Board of Directors addresses our cybersecurity risk management as part of its general oversight function. The Audit Committee is responsible for overseeing our cybersecurity risk management processes, including oversight and mitigation of risks from cybersecurity threats. Periodically, the Audit Committee receives an overview from our Head of Information Technology of our cybersecurity threat risk management and strategy processes covering topics such as data security posture, results from third-party assessments, progress towards pre-determined risk-mitigation-related goals, and material cybersecurity threat risks or incidents and developments, as well as the steps management has taken to respond to such risks.