Acumen Pharmaceuticals, Inc. - (ABOS)

10-K Filing Date: March 26, 2024
Item 1C. Cybersecurity.
Risk management and strategy.
In the ordinary course of our business, we and our third-party service providers, such as contract research organizations, collect, maintain and transmit sensitive data on our networks and systems, including our intellectual property and proprietary or confidential business information (such as research data and personal information). The secure maintenance of this information is critical to our business and reputation. In addition, we are heavily dependent on the functioning of our information technology infrastructure to carry out our business processes. While we have adopted administrative, technical and physical safeguards to protect such systems and data, our systems and those of third-party service providers may be vulnerable to a cyber-attack.
We have adopted processes designed to identify, assess and manage material risks from cybersecurity threats. Those processes include frameworks to respond to and assess internal and external threats to the security, confidentiality, and integrity of our data and information systems, along with other material risks to our operations, which we review at least annually or whenever there are material changes to our systems or operations.
Our IT department collaborates with our Chief Operating Officer to evaluate and address cybersecurity risks in alignment with our business objectives and operational needs. We have processes to detect potential vulnerabilities and anomalies through technical safeguards. As part of our risk management process, we conduct regular IT security audits to assess and respond to internal and external security threats.
We rely on third parties, including cloud vendors and consultants, for various business functions. Many of our third-party service providers have access to our information systems and data, and we rely on such third parties for the continuous operation of our business operations. We oversee third-party service providers by conducting vendor diligence. Vendors are generally assessed for risk based on the nature of their service, access to data and systems and supply chain risk and, based on that assessment, we conduct diligence that may include completing security questionnaires, onsite evaluation, and scans or other technical evaluations.
Governance.
Our Board of Directors has established oversight mechanisms to manage risks from cybersecurity threats. Our Audit Committee has primary responsibility for oversight of cybersecurity, including the responsibility to review and discuss with management and the Company’s auditors, as appropriate, management risks relating to data privacy, technology and information security, including cyber security and back-up of information systems, and the steps the Company has taken to monitor and control such exposures and the responsibility to confer with management and the Company’s auditors the adequacy and effectiveness of the Company’s information and cyber security policies and the internal controls regarding information security. The Audit Committee, or the Board of Directors as a whole, is briefed on any material cybersecurity incidents that may adversely affect the Company and on cybersecurity risks in general at least once each year.
77

At the management level, our cybersecurity program is managed by our Director of IT, who reports to our Chief Operating Officer. Our Director of IT has over 12 years of IT security experience in regulated industries such as government, energy, and biopharma. He has over 20 years of combined IT experience.
Our Director of IT and IT Department implement processes around security monitoring and vulnerability testing. Our Director of IT reports at least annually to the Audit Committee and such reporting will include topics such as our risk assessment, risk management and control decisions, service provider arrangements, test results, security incidents and responses and recommendations for changes and updates to policies and procedures.
Although we have experienced cybersecurity incidents in the past, as of the date of this report, we have not experienced a cybersecurity incident that resulted in a material effect on our business strategy, results of operations, or financial condition. Despite our continuing efforts, we cannot guarantee that our cybersecurity safeguards will prevent breaches or breakdowns of our or our third-party service providers’ information technology systems, particularly in the face of continually evolving cybersecurity threats and increasingly sophisticated threat actors. A cybersecurity incident may materially affect our business, results of operations or financial condition, including where such an incident results in reputational, competitive or business harm or damage to our Company, loss of intellectual property rights, significant costs or the Company being subject to government investigations, litigation, fines or damages. For more information, see “Our business and operations would suffer in the event of computer system failures, cyberattacks or a deficiency in our cybersecurity or a natural disaster.”