Virpax Pharmaceuticals, Inc. - (VRPX)
10-K Filing Date: March 26, 2024
Risk Management and Strategy
We are a pre-clinical-stage biopharmaceutical company, focused on developing novel and proprietary drug delivery systems across various pain indications and treatments for CNS disorders. We have conducted a cyber security risk assessment performed by a third-party consultant and are in the process of developing a formal cybersecurity risk management program designed to identify, assess, manage, mitigate, and respond to cybersecurity threats. The risk assessment was performed against the National Institute of Standards and Technology (“NIST”) Cybersecurity Framework (“CSF”) standards.
We have implemented third-party risk management processes to manage the risks associated with reliance on vendors, critical service providers, and other third-parties that may lead to a service disruption or an adverse cybersecurity incident. This includes an assessment of vendors during the selection/onboarding process and a review of SOC 1 reports on an annual basis.
In addition, we maintain policies over areas such as information security, access on/offboarding, and access and account management, to help govern the processes put in place by management designed to protect our IT assets, data, and services from threats and vulnerabilities. We partner with industry recognized IT providers leveraging third-party technology and expertise. These third-party service providers are a key part of our current cybersecurity risk management and provide services including, maintenance of an IT assets inventory, periodic vulnerability scanning, identity access management controls including restricted access of privileged accounts, network integrity safeguarded by employing web-based software, including endpoint protection, endpoint detection and response, and remote monitoring management on all devices, industry-standard encryption protocols and critical data backups. Our outsourced information technology consultant conducts proactive patching and monitoring of all of our existing systems and has implemented systems and procedures to mitigate cybersecurity risks that we believe are appropriate for a company of our size, stage of growth and financial condition. In addition, we carry insurance with coverage for cyber events that we believe is suitable for a company of our size, stage of growth and financial condition.
As of the date of this Annual Report on Form 10-K, we are not aware of any cybersecurity threats, and have not experienced any cybersecurity incidents, that have materially affected us, including our business strategy, results of operations or financial condition.
For additional information concerning risks related to cybersecurity, see Item lA. Risk Factors: We are increasingly dependent on information technology, and our systems and infrastructure face certain risks, including cybersecurity and data leakage risks.
74
Governance
Management is responsible for the day-to-day management of the risks we face, while our Board of Directors has responsibility for the oversight of risk management, including as to risks from cybersecurity threats. In its risk oversight role, our Board of Directors has the responsibility to satisfy itself that the risk management processes designed and implemented by management are appropriate and functioning as designed. The Board of Directors has delegated to the Audit Committee of the Board of Directors the responsibility for the oversight of information technology, including cybersecurity risks. Member(s) of management assigned with cybersecurity oversight responsibility and/or third-party consultants providing cyber risk services brief the Audit Committee on cyber vulnerabilities identified through the risk management process, emerging threat landscape and new cyber risks, and provide updates on our processes to prevent, detect, and mitigate cybersecurity incidents.