BioAtla, Inc. - (BCAB)
10-K Filing Date: March 26, 2024
Cybersecurity Risk Management and Strategy:
We recognize the importance of assessing, identifying, and managing material risks associated with cybersecurity threats, as such term is defined in Item 106(a) of Regulation S-K. These risks include, among other things, operational risks; intellectual property theft; fraud; extortion; harm to employees or customers; violation of privacy or security laws and other litigation and legal risk; and reputational risks.
We also maintain an incident response plan to coordinate the activities we take to protect against, detect, respond to and remediate cybersecurity incidents, as such term is defined in Item 106(a) of Regulation S-K, as well as to comply with potentially applicable legal obligations and mitigate brand and reputational damage.
We have implemented several cybersecurity processes, technologies, and controls to aid in our efforts to identify, assess, and manage material risks, as well as to test and improve our incident response plan. Our approach includes, among other things:
These approaches vary in maturity across the business, and we work to continually improve them.
Our process for identifying and assessing material risks from cybersecurity threats operates alongside our broader overall risk assessment process, covering all company risks. As part of this process appropriate disclosure personnel will collaborate with subject matter specialists, as necessary, to gather insights for identifying and assessing material cybersecurity threat risks, their severity, and potential mitigation.
As part of the above approach and processes, we have engaged an assessors to review our cybersecurity program to help identify areas for continued focus, improvement and/or compliance.
We describe whether and how risks from identified cybersecurity threats, including as a result of any previous cybersecurity incidents, have materially affected or are reasonably likely to materially affect us, including our business strategy, results of operations, or financial condition, under the heading “We depend on our information technology systems and those of our CROs, manufacturers, contractors and consultants. Our internal computer systems, or those of any of our CROs, manufacturers, other contractors, consultants, existing or future collaborators, may fail or suffer security or data privacy breaches or other unauthorized or improper access to, use or acquisition of or destruction of our proprietary and confidential data, employee data or personal data, which could result in additional costs, loss of revenue significant liabilities, harm to our reputation and material disruption of our operations” included as part of our risk factor disclosures at Item 1A of this Annual Report on Form 10-K, and under the heading “Risks related to employee matters, managing our growth and other risks related to our business.”
67
In the last three fiscal years, we have not experienced any material cybersecurity incidents and the expenses we have incurred from cybersecurity incidents were immaterial. This includes penalties and settlements, of which there were none.
Cybersecurity Governance:
Cybersecurity is an important part of our risk management processes and an area of increasing focus for our Board and management. Our Audit Committee is responsible for the oversight of risks from cybersecurity threats. The Audit Committee semi-annually receives an overview from management of our cybersecurity threat risk management and strategy processes covering topics such as data security posture, progress towards pre-determined risk-mitigation-related goals, our incident response plan, and cybersecurity threat risks or incidents and developments, as well as the steps management has taken to respond to such risks. In such sessions, the Audit Committee generally receives materials indicating current and emerging cybersecurity threat risks, and describing the company’s ability to mitigate those risks. Members of the Board and the Audit Committee are also encouraged to regularly engage in ad hoc conversations with management on cybersecurity-related news events and discuss any updates to our cybersecurity risk management and strategy programs. Material cybersecurity threat risks may also be considered during separate Board meeting discussions.
Our cybersecurity risk management and strategy processes, which are discussed in greater detail above, are led by our Senior Vice President of IP and Contracts and other members of the management team. Our team has over ten years in information technology, cybersecurity, risk management, and compliance and includes individuals with BS degrees in Information Technology and several information technology and security certifications.
These members of management are informed about and monitor the prevention, mitigation, detection, and remediation of cybersecurity incidents through their management of, and participation in, the cybersecurity risk management and strategy processes described above, including the operation of our incident response plan. If a cybersecurity incident is determined to be a material cybersecurity incident, our incident response plan and cybersecurity disclosure controls and procedures define the process to disclose such a material cybersecurity incident.