SUTRO BIOPHARMA, INC. - (STRO)

10-K Filing Date: March 25, 2024
Item 1C. Cybersecurity

Our board recognizes the critical importance of maintaining the trust and confidence of our patients, business partners and employees. Our board is actively involved in oversight of our risk management program, and cybersecurity represents an important component of our overall approach to enterprise risk management (“ERM”). Through our ERM program, risks are identified, assessed and managed at the organization level, mission and business process level, and information system level. Our cybersecurity program, policies and procedures are fully integrated into our ERM program and are maintained in accordance with industry good standards. We also have an Information Security program that more specifically addresses cybersecurity risks and is focused on preserving the confidentiality, security and availability of the information that we collect and store by identifying, preventing and mitigating cybersecurity threats and effectively responding to cybersecurity incidents when they occur.

Risk Management and Strategy

As one of the critical elements of our overall ERM approach, our cybersecurity program is focused on the following key areas:

1.
Governance: Our board’s oversight of cybersecurity risk management is supported by our Audit Committee of our board (the “Audit Committee”), which regularly interacts with our executive leadership, including our Chief Executive Officer, Chief Financial Officer and our General Counsel and other key officers.
2.
Collaborative Approach: We have implemented a comprehensive, cross-functional approach to identifying, preventing and mitigating cybersecurity threats and incidents, while also implementing controls and procedures that provide for the prompt escalation of certain cybersecurity incidents so that decisions regarding the public disclosure and reporting of such incidents can be made by management in a timely manner. We also engage security vendors with credentialed security professionals to bolster our cybersecurity risk management, security event monitoring and detection, and incident and crisis response capability.
3.
Technical Safeguards: We deploy technical safeguards that are designed to protect our information systems from cybersecurity threats, including mail flow algorithms, firewalls, intrusion prevention and detection systems, malware and antivirus protection, network security protection, cloud console security and single sign-on multi-factor authentication. We also regularly conduct security and patch vulnerability scanning to help safeguard our security infrastructure.
4.
Incident Response and Recovery Planning: We have established and maintain comprehensive incident response and recovery plans that fully address our response to a cybersecurity incident, and such plans are periodically evaluated. We utilize an established internal framework designed to assess promptly the severity and materiality of cybersecurity events and incidents based on various predefined quantitative and qualitative criteria, including the impact to potential personally identifiable information and/or patient health information, and to determine the appropriate level of response. Incidents are escalated based on their severity and materiality for prompt response and mitigation. This systematic approach involves preliminary investigations and detailed assessments to determine the severity and materiality of each incident, and there are established communication channels and engagement processes with those involved in this incident response process.
5.
Third-Party Risk Management: We maintain a comprehensive, risk-based approach to identifying and overseeing cybersecurity risks presented by third parties, including vendors, service providers and other external users of our systems, as well as the systems of third parties that could adversely impact our business in the event of a cybersecurity incident affecting those third-party systems. We have implemented communication channels with our key third-party vendors to communicate regarding

 

 

98

 

 

 

potential cybersecurity risks and incidents, and generally seek to include appropriate security clauses in our contracts with our vendors, including notification requirements.
6.
Education and Awareness: We provide regular, mandatory security awareness training for personnel regarding cybersecurity threats as a means to equip our personnel with effective tools to address cybersecurity threats, and to communicate our evolving information security policies, standards, processes and practices.

We engage in a periodic assessment of our policies, standards, processes and practices that are designed to address cybersecurity threats and incidents at least annually. We evaluate our cybersecurity program’s capabilities and processes, and we aim to continuously enhance our program according to our internal and external risk assessments. These efforts include a wide range of activities, including audits, assessments, vulnerability testing and other exercises focused on evaluating the effectiveness of our cybersecurity measures and planning.

We have previously engaged, and may engage in the future, with third parties to perform assessments on our cybersecurity measures, including information security maturity assessments, vulnerability assessments, audits and independent reviews of our information security control environment and operating effectiveness. The results of such assessments, audits and reviews are reported to the Audit Committee and the board, and we adjust our cybersecurity policies, standards, processes and practices as necessary based on the information provided by these assessments, audits and reviews.

Although we are subject to ongoing and evolving cybersecurity threats, we are not aware of any cybersecurity threats, that have materially affected or are likely to affect us, including our business strategy, results of operations or financial condition. If we were to experience a material cybersecurity incident in the future, such incident may have a material effect, including on our business strategy, operating results, or financial condition. For more information regarding cybersecurity risks that we face and potential impacts on our business related thereto, see the "Risk Factors" disclosures in Item 1A of this Annual Report on Form 10-K.

Governance

Our board, in coordination with the Audit Committee, oversees our ERM process, including the management of risks arising from cybersecurity threats. Our Audit Committee receives regular presentations and reports on cybersecurity risks, which address a wide range of topics including our information security strategy, ongoing cybersecurity preparedness projects and programs, recent cybersecurity-related developments, changing regulations, evolving standards, vulnerability assessments, third-party and independent reviews, the threat environment, technological trends and information security considerations arising with respect to our peers and third parties. Further, our Information Security Team, consisting of Company IT staff, meets biannually with our Information Security Governance Committee to review our policies, incidents, responses and preventative measures. In addition, our Information Security Team presents a summary of information security key performance indicators quarterly to our Audit Committee.

Our Chief Executive Officer, Chief Financial Officer, General Counsel and other key officers and our Information Security team work collaboratively across the Company to implement and monitor our Information Security Program, which is designed to protect our information systems from cybersecurity threats and to promptly respond to any cybersecurity incidents in accordance with our incident response and recovery plans. Our Information Security team is deployed to address cybersecurity threats and to respond to cybersecurity incidents, including those stemming from any violation of our cybersecurity policies. Further, our Information Security Team monitors the prevention, detection, mitigation and remediation of cybersecurity threats and incidents in real time and reports such threats and incidents to the Audit Committee when appropriate.

Our Information Security team collectively has a combined experience of over 70 years managing and supporting information technology in the biotech industry and oversees our cybersecurity program. They have experience developing and leading cybersecurity programs, including evaluating and implementing tools and technologies that enable defense and response capabilities, and developing critical cybersecurity procedures and training and awareness programs. Our cybersecurity consultant has served in various roles in information technology and information security for approximately 25 years. We also consult with two different service providers who specialize in corporate cybersecurity.

 

 

99

 

 

 

Back SEC Filing