Ampio Pharmaceuticals, Inc. - (AMPE)

10-K Filing Date: March 27, 2024
Item 1C. Cybersecurity.

10

In July 2023, the SEC adopted rules requiring registrants to disclose material cybersecurity incidents they experience and to disclose on an annual basis material information regarding their cybersecurity risk management, strategy, and governance.

Given our current environment and structure of the Company, we outsourced a majority of our information technology functions in 2023, including but not limited to hosting and security access and cybersecurity generally, to third-party service providers. We relied primarily on third parties to assess, identify and manage material risks from cybersecurity threats. Our agreements with these third parties obligated these parties to provide us with various notifications and reports that help our management oversee and identify material risks from cybersecurity threats associated with our use of these third-party service providers.

Cybersecurity threats are just one of the many risks that we face. While we have not experienced a cyber-security incident, there is no assurance that we will not be impacted in the future. In 2023, risks from cybersecurity threats did not materially affect and were not reasonably likely to materially affect Ampio except to the extent that our management of risks from cybersecurity threats was reflected in our overall operations strategy in 2023. Like many of the specialized or highly technical functions within our company, we believe we obtained a greater depth of support and relevant expertise from third-party IT and cybersecurity resources at an overall lower cost profile than hiring our own employees.

Under the charter of our Audit Committee, the Audit Committee oversees management’s development and implementation of policies with respect to risk assessment and risk management, which includes risks associated with cybersecurity threats. In 2023, the Audit Committee also discussed with management the Company’s significant financial risk exposures and the actions management had taken to limit, monitor, control or mitigate such exposures. Our executive officers are responsible for managing risks from cybersecurity threats, which was primarily performed in 2023 by overseeing third parties involved in the management and monitoring of IT systems. Our executive officers also received reporting and information from third parties in 2023. Our management regularly reported to the Audit Committee on these risks. The Audit Committee also received reports from our legal counsel and internal auditors on cybersecurity matters. Currently, the Audit Committee also comprises the entire Board so we believe there is direct visibility by the Board to cybersecurity risk management.