Altimmune, Inc. - (ALT)
10-K Filing Date: March 27, 2024
Item 1C. Cybersecurity
Governance
As part of its oversight role, the Audit Committee of our Board is responsible for overseeing cybersecurity risk exposure as well as management’s actions to identify, assess, mitigate and remediate cybersecurity threats. The Audit Committee receives regular reports, on a quarterly basis, from our Chief Financial Officer and Senior Director of Information Technology regarding our cybersecurity risk programs. Our Chief Financial Officer also provides quarterly updates to the Board that include a summary of our cybersecurity risk programs to enable discussion of cybersecurity risk management at the Board level. The Audit Committee annually reviews and recommends our information security policy and program to the Board. The Audit Committee is composed of members with financial expertise as well as one member with a cybersecurity oversight certification.
Our Chief Financial Officer has overall responsibility for our cybersecurity and has over 20 years of experience managing information technology, or IT, departments at biotechnology and pharmaceutical companies. Our Senior Director of Information Technology is responsible for the development and implementation of IT department controls, policies, infrastructure, and day-to-day operations, in addition to managing security risk, evaluating safeguards and recommending security improvements, and has over seven years of experience managing IT departments for a biotechnology company. We utilize third-party vendors to help strengthen our information security risk management by conducting evaluations of our security controls on at least a quarterly basis.
Risk Management and Strategy
Our cybersecurity risk management program is comprised of the following components:
● | Identifying assets at risk from cybersecurity threats and taking mitigation measures including the implementation of data backup, recovery and restore procedures to ensure business continuity, as well as through IT controls, policies and infrastructure. |
● | Identifying potential cybersecurity threats that could disrupt our IT systems, cause a data breach or compromise data security by implementing the following protective measures: patching and updating systems and applications, monitoring our email systems, endpoint protection, Domain Name System (DNS) filtering, Security Information and Event Management, and Multi-Factor Authentication (MFA). |
● | Conducting periodic assessment of protections to prevent or mitigate cybersecurity threats. |
● | Retaining of third parties to periodically assess our cybersecurity management program, provide cybersecurity training, perform phishing tests, gap analysis and penetration tests, advise on business continuity plans, and to provide additional support in the event of a cybersecurity incident. |
The Chief Financial Officer and Senior Director of Information Technology work with other groups in the Company to understand the severity of the potential consequences of a cybersecurity incident and to make decisions about how to prioritize mitigation and other initiatives based on, among other things, materiality to the business. All employees and contractors receive cybersecurity training, and we plan to implement additional annual training for all employees and
84