Kyverna Therapeutics, Inc. - (KYTX)
10-K Filing Date: March 26, 2024
Cyber Risk Management and Strategy
We, under the oversight of the Audit Committee of our board of directors, have implemented and maintain an enterprise risk management process, which includes periodic assessments of various risk categories, including cyber risks, across our Company. Our process for assessing, identifying, and managing risks from cybersecurity threats is informed by industry standards and supported by cybersecurity technologies, including third-party security solutions, monitoring, and alerting tools, designed to monitor, identify, and address cybersecurity risks.
We leverage a managed security service provider and also engage with other third-party providers and consultants to support our cyber risk management efforts, including through periodic security testing. We have a process to assess and review the cybersecurity practices of information technology third-party vendors and service providers, including through review of applicable certifications, security reports, and vendor questionnaires and contractual requirements, as appropriate.
Governance Related to Cybersecurity Risks
Our cyber risk management program and related operations and processes are directed by our Head of IT in consultation with the legal team and our third-party security advisor. Currently, our Head of IT role is held by an individual who has over 20 years of information technology experience. The Head of IT reports to our Chief Financial Officer.
Our Head of IT meets with our Chief Financial Officer periodically to discuss and review our cybersecurity risk management processes and to address matters related to potential cybersecurity and information technology risks, with input from our third-party technology providers, as appropriate. In addition, our Head of IT has regular meetings with our managed security service provider to inform our cyber risk management processes and reporting to management. Our Head of IT, working with our Chief Financial Officer, provides periodic reports on cybersecurity and information technology matters to our Audit Committee, which assists our board of directors in reviewing and overseeing our risk management process, including cybersecurity risks.
Our Chief Financial Officer and our Audit Committee periodically report on cybersecurity risk management to the full board of directors. Our board of directors, as a whole and through its committees, has responsibility for the periodic review and oversight of information technology risks, including cybersecurity risks.
114
Our enterprise risk management program is overseen by a risk management committee comprised of senior management across key functional areas inclusive of cybersecurity and information technology matters. This committee, working with our Chief Financial Officer, provides periodic reports and updates, as needed, to our board of directors or our Audit Committee. In collecting information on enterprise risk, cybersecurity is included as a designated risk category, and the results of our enterprise risk assessment processes, including risks related to cybersecurity, are also discussed with the Audit Committee and among senior management on a periodic basis.
Material Affects of Cybersecurity Incidents
Except as disclosed in Part I, Item 1A, “Risk Factors” of this Annual Report on Form 10-K, including, without limitation, the risk factor under the heading “If our internal information technology systems, or those used by our CROs, CMOs, clinical sites or other contractors or consultants upon which we rely, are or were compromised, become unavailable or suffer security breaches, loss or leakage of data or other disruptions, we could suffer material adverse consequences resulting from such compromise, including, but not limited to, operational or service interruption, harm to our reputation, litigation, fines, penalties and liability, compromise of sensitive information related to our business, and other adverse consequences”, risks from cybersecurity threats, including as a result of any previous cybersecurity incidents, have not materially affected and are not reasonably likely to materially affect our company, including our business strategy, results of operations, or financial condition.