Invivyd, Inc. - (IVVD)
10-K Filing Date: March 28, 2024
Risk Management and Strategy
We have established policies and processes for assessing, identifying, and managing the risks from foreseeable cybersecurity threats and for detecting and responding to any cybersecurity incidents. These policies and processes are built into our information technology (“IT”) function and are designed to align with the NIST Cybersecurity Framework, published by the U.S. National Institute of Standards and Technology.
We have adopted an IT Security Management Policy (“IT Policy”) to establish the requirements for securing and managing our IT assets and data, as well as an Incident Response Policy designed to coordinate the activities for preparing for, identifying, responding to, and recovering from cybersecurity threats. Our Head of IT is primarily responsible for implementing and overseeing the IT Policy, which is applicable to all our employees and contractors, as well as any third parties with access to our IT assets and data. Our Head of IT is also primarily responsible for leading incident response services under the Incident Response Policy. Our Head of IT leverages over 20 years of experience in various cybersecurity functions. As part of our overall risk mitigation strategy, we maintain an Enterprise Risk Register to identify, prioritize and track system risks, including cybersecurity risks. Additionally, we maintain cybersecurity insurance; however, such insurance may not be sufficient in type or amount to cover the total losses or damages related to a cybersecurity incident.
We implement technical, physical, and organizational measures designed to manage and mitigate risks from cybersecurity threats. For example, we employ multifactor authentication, single sign-on, and email filtering services across our systems. Additionally, we conduct monthly video-based cybersecurity awareness trainings across our workforce, which cover relevant topics such as social engineering, phishing, password protection, confidential data protection, and mobile security. We regularly perform company-wide phishing tests. We currently leverage multiple third-party service providers to assist in monitoring, managing, and detecting cybersecurity threats and conducting periodic vulnerability assessments of our critical assets.
As of the date of this report, we are not aware of any cybersecurity threats, including as a result of any previous cybersecurity incidents, that have materially affected or are reasonably likely to materially affect our business strategy, results of operations, or financial condition. However, evolving cybersecurity threats make it increasingly challenging to anticipate, detect, and defend against cybersecurity threats and incidents.
Governance
While our Board of Directors has overall responsibility for risk oversight, the Audit Committee of our Board of Directors (the “Audit Committee”) is responsible for overseeing our cybersecurity risk management and strategy. The Audit Committee reviews and discusses with management and the Company’s auditors, as appropriate, our risks relating to data privacy, technology, and information security, including cybersecurity and back-up of information systems. The Audit Committee also confers with management and our auditors, as appropriate, regarding the adequacy and effectiveness of our policies and the internal controls regarding information security.
Our Head of IT meets regularly with our Chief Operating Officer to discuss our cybersecurity threat landscape, address open gaps and issues, and evaluate solutions to cover any identified gaps. Our Head of IT, in collaboration with members of senior management, reports relevant cybersecurity matters to our Audit Committee.
For discussion of cybersecurity risks, please see Item 1A, “Risk Factors.”