Third Harmonic Bio, Inc. - (THRD)
10-K Filing Date: March 26, 2024
The Board's Roles and Responsibilities
The Board of Directors, as a whole and at the subcommittee level, oversees and monitors cybersecurity risk at the Company, receiving regular updates from management on the status of the Company’s current cybersecurity risks, a prioritization of key risk areas to be mitigated, and any significant cyber incidents that have occurred or are reasonably likely to occur.
In late 2023, the Company began the process of a periodic formal cybersecurity risk assessment conducted by an expert third party. The findings from that formal assessment will inform the ongoing cybersecurity roadmap which is updated at least annually. The Audit Committee plays a key role by ensuring that the prioritization of the roadmap supports the Company’s business objectives, and by making decisions, when called upon, of whether specific cybersecurity risks should be mitigated or if that risk is acceptable to the business.
Risk Management and Strategy
Information Technology and the Digital Transformation of the Company’s assets and business processes are critical to our growth strategy. Inherent to Information Technology and Digital Transformation is the commensurate cybersecurity risk, which we manage by maintaining a cybersecurity program that is integrated into our overall risk management process.
The cybersecurity program is overseen by the IT Senior Director and utilizes a risk-based methodology to support the confidentiality, integrity and availability of our digital assets. The cybersecurity program is supported at the highest level within the Company, formally reporting to the Audit Committee, a subcommittee of the Board of Directors, at least once every two quarters and more often if required.
As a part of the cybersecurity program, we conduct assessments, both internally and by independent third parties, to identify and prioritize the mitigation of cybersecurity risks. We also maintain a formal and mandatory cybersecurity awareness training program for all employees that includes annual training on information security best practices in high risk areas such as phishing and authentication. All employees are also tested periodically for their cybersecurity awareness.
We rely on Information Technology systems and infrastructure for many of our business and internal processes. Some of these systems and infrastructure are managed by third-party service providers who are not under our direct control. In order to mitigate material risks from our critical Finance-related third-party service providers, we annually review their SOC1 reports for any noted material incidents and risks.
For our non-finance service providers, we are currently implementing cybersecurity controls, including but not limited to requiring all critical vendors to notify the Company should the vendor fall victim to, and become aware of a material cybersecurity incident, and reviewing any available SOC2 or similar compliance reports should they be available. Our vendor selection and management processes are also being enhanced to ensure that vendors' cybersecurity controls are evaluated.
While tools and processes are in place to mitigate cybersecurity risks, we are continuing to establish an Incident Response Plan, or IRP, to analyze, contain, and remediate any cybersecurity incidents which may occur despite these mitigations. The IRP, based on the National Institute of Standards and Technology framework, defines a timely, consistent, and compliant response to cybersecurity incidents and includes notifications to the Audit Committee and any relevant governing bodies such as the SEC in the event that the cybersecurity incident is deemed to be material.
Although we have implemented a cybersecurity program designed to protect and preserve the confidentiality, integrity and availability of our information systems and assets, the Company also maintains cybersecurity insurance to manage potential liabilities resulting from specific cyber incidents. However, it is important to note that although we maintain cybersecurity insurance, there can be no guarantee that the insurance will cover the Company, wholly or partially, from potential liabilities, or that such insurance proceeds will be paid to us in a timely manner.
While we are not aware of any cybersecurity incidents that have occurred to date, we are exposed to, and may in future be adversely impacted by cyberattacks and interruptions to our information technology systems and infrastructure. Despite the security
70
measures we have implemented, certain cyber incidents could materially disrupt our operational systems, and/or result in the loss of trade secrets, proprietary information, or competitively sensitive data.
We seek to maintain a robust and continuously improving cybersecurity program however the impact of certain cybersecurity incidents could have a materially adverse impact on our competitive position, reputation, operations and/or financial position. We remain vigilant in continuously improving our cybersecurity program and its controls.
Governance and Management's Responsibilities
IT management is responsible for the cybersecurity program that assesses and manages cybersecurity risk. Specifically, the Senior Director of IT is responsible for the prevention, mitigation, detection, and remediation of cybersecurity incidents while at the executive level, the Chief Administrative Officer oversees the program and is the executive sponsor.
The Senior Director of IT monitors cybersecurity incidents and does so by working closely with expert technology and security partners. The Company and its partners deploy a variety of technologies and processes, including but not limited to intrusion monitoring, detection and response, patch management, threat hunting, identity and access management, assessments, audits and tests.
The Senior Director of IT has relevant expertise in cybersecurity having spent the previous five years prior to joining the Company implementing and managing ISO 27001 at a public biotechnology company, where he was responsible for cybersecurity and Sarbanes-Oxley Information Technology compliance, reporting directly to the Audit Committee. ISO 27001 is the International Organization for Standardization’s standard for a comprehensive cybersecurity program. The Senior Director of IT also has extensive SOX IT compliance experience, having guided his previous companies through SOX IT compliance since 2004 when SOX first came into effect.
Cybersecurity threats, including any previous cybersecurity incidents, have not materially affected or are reasonably likely to affect the Company, including its business strategy, results of operations or financial condition.