HOOKIPA Pharma Inc. - (HOOK)

10-K Filing Date: March 22, 2024
Item 1C. Cybersecurity

Cybersecurity Risk Management and Strategy

We have implemented and maintain various cybersecurity processes, technologies, and controls to aid in our efforts to assess, identify, and manage material risks from cybersecurity threats to our critical computer networks, third party hosted services, communications systems, hardware and software, and our critical data, including intellectual property, confidential information that is proprietary, strategic or competitive in nature, and clinical trial data (“Information Systems and Data”).

Our cybersecurity function, led by our Head of DevSecOps and supported by our Head of IT and third-party service providers, identifies and assesses risks from cybersecurity threats by monitoring and evaluating our threat environment using various methods including, for example: maintaining manual and automated tools, subscribing to reports and services that identify cybersecurity threats, conducting scans of our threat environment, evaluating our and our industry’s cybersecurity risk profile, evaluating threats reported to us, completing internal and external cybersecurity audits, completing third-party cybersecurity threat assessments, conducting vulnerability assessments, leveraging external intelligence feeds, and completing third-party red/blue team exercises and tabletop incident response exercises.

Depending on the environment, we implement and maintain technical, physical, and organizational measures, processes, standards, practices, and policies designed to manage and mitigate material risks from cybersecurity threats to our Information Systems and Data. These measures, processes, standards, practices, and policies address, for example: incident detection and response, risk assessments, security certifications, encryption, network security controls, data segregation, access controls, physical security, asset management (such as tracking and disposal), systems monitoring, employee cybersecurity awareness training, and systems monitoring. We also have cybersecurity insurance.

Our process for identifying and assessing material risks from cybersecurity threats operates alongside our broader overall enterprise risk assessment process. We have a cybersecurity-specific risk assessment process designed to

119

assess identified material risks from cybersecurity threats. This process is designed to help us manage our material risks from cybersecurity threats and protect against, detect, and respond to cybersecurity incidents.

We use third-party service providers to assist us from time to time to identify, assess, and manage material risks from cybersecurity threats, including for example cybersecurity software providers and cybersecurity consultants that provide threat intelligence, managed cybersecurity, forensic, and penetration testing services.

Further, we use third-party service providers to perform a variety of functions throughout our business, such as software-as-a-service providers, data hosting companies, contract research organizations, and contract manufacturing organizations. We have certain vendor management processes designed help to manage cybersecurity risks associated with our use of these providers. Depending on the nature of the services provided, the sensitivity of the Information Systems and Data at issue, and the identity of the provider, our vendor management processes may involve different levels of assessment designed to help identify cybersecurity risks associated with a provider, including, for example, security questionnaires and the imposition of contractual obligations related to cybersecurity on the provider.

For a description of the cybersecurity risks and related impacts that may materially affect the Company and how they may do so, see our risk factors in Part I, Item 1A of this Annual Report on Form 10-K, including “Cybersecurity risks and the failure to maintain the security, confidentiality, integrity, and availability of our information technology systems or data, and those maintained on our behalf, could result in adverse consequences that materially affect our business, including without limitation regulatory investigations or actions, a material disruption of the development programs of our product candidates, damage to our reputation and/or subject us to costs, loss of customers or sales, fines and penalties or lawsuits.”

Cybersecurity Governance

Our Board of Directors addresses the Company’s cybersecurity risk management as part of its general oversight function. Our Audit Committee is responsible for the oversight of risks from cybersecurity threats and data breaches. On a quarterly basis, the Audit Committee receives an overview from our Head of IT regarding our cybersecurity threat risk management and strategy processes, which may include, for example, covering topics such as data security posture, results from third-party assessments, our incident response plan, and material cybersecurity threat risks or incidents and developments, as well as the steps management has taken to respond to such risks. The Chair of the Audit Committee periodically updates our Board of Directors on its oversight of cybersecurity and data breach risk management and strategies.

Our executive management team, with regulatory and governance oversight from our Audit Committee, are responsible for hiring appropriate personnel, helping to integrate cybersecurity risk considerations into the Company’s overall risk management strategy, and communicating key priorities to relevant personnel. Our Digital and IT Steering Committee is responsible for approving budgets, helping prepare for cybersecurity incidents, approving cybersecurity processes, and reviewing security assessments and other security-related reports.

Our cybersecurity function, led by our Head of DevSecOps and supported by our Head of IT and third-party service providers, is responsible for our cybersecurity risk management and strategy processes. Our Head of IT, who is a Certified Information Security Manager (CISM ISACA) and a Certified Information Systems Auditor (CISA ISACA), and our Head of DevSecOps, collectively have significant prior work experience in various roles involving managing information security, developing cybersecurity strategy and implementing effective information and cybersecurity programs.

Our cybersecurity incident response plan provides for escalation of certain cybersecurity incidents to members of management depending on the circumstances, including our CFO, COO, and CEO. Management works with the Company’s incident response team to help the Company mitigate and remediate cybersecurity incidents of which they are notified. Our incident response team also reports material cybersecurity incidents to the Chair of the Audit Committee.

120