PROKIDNEY CORP. - (PROK)

10-K Filing Date: March 21, 2024
Item 1C. Cybersecurity.

We face risks related to cybersecurity such as unauthorized access, cybersecurity attacks and other security incidents, including as perpetrated by hackers and unintentional damage or disruption to hardware and software systems, loss of data, and misappropriation of confidential information. To identify and assess material risks from cybersecurity threats, we maintain an enterprise-wide information security program designed to identify, protect, detect and respond to and manage reasonably foreseeable cybersecurity risks and threats. To protect our information systems from cybersecurity threats, we use various security tools that help prevent, identify, escalate, investigate, resolve and recover from identified vulnerabilities and security incidents in a timely manner.

Cybersecurity risks related to our business, manufacturing operations, clinical trials, privacy and compliance issues are identified and addressed through third party assessments, internal IT audits, IT security, risk and compliance reviews. To defend, detect and respond to cybersecurity incidents we conduct proactive cybersecurity reviews of systems and applications, perform penetration testing using external third-party tools and techniques to test security controls, conduct employee training, monitor emerging laws and regulations related to data protection and information security and implement appropriate changes.

Our processes also address cybersecurity threat risks associated with our use of third-party service providers, including our suppliers and manufacturers or who have access to patient and employee data or our systems. In addition, cybersecurity considerations affect the selection and oversight of our third-party service providers. We perform diligence on third parties that have access to our systems, data or facilities that house such systems or data, and continually monitor cybersecurity threat risks identified through such diligence.

We have implemented incident response and breach management processes which are based on the National Institute of Standards and Technology (NIST) framework for incident response. This includes 1) defined roles and incident response initiation processes, 2) incident detection and analysis, 3) containment, eradication and recovery, and 4) post-incident analysis. Such incident responses and related matters of cybersecurity are overseen by leaders from our Information Technology, Manufacturing, Clinical Operations, Regulatory and Legal teams.

We employ a range of tools and services, including regular network and endpoint monitoring, audits, vulnerability assessments and penetration testing to inform our risk identification and assessment. Additionally, we engage external auditors and consultants to assess our internal cybersecurity program and our compliance with applicable practices and standards.

Security events and data incidents are evaluated, ranked by severity and prioritized for response and remediation. Incidents are evaluated to determine materiality as well as operational and business impact and reviewed for privacy impact.

As part of the above processes, we engage external auditors and consultants to assess our internal cybersecurity programs and compliance with applicable practices and standards.

We describe whether and how risks from identified cybersecurity threats, including as a result of any previous cybersecurity incidents, have materially affected or are reasonably likely to materially affect us, including our business strategy, results of operations, or financial condition, under the heading “Our internal computer systems, or those of our collaborators or other contractors or consultants, may fail or suffer security breaches, which could result in a material disruption of our product development programs,” which disclosures are incorporated by reference herein.

We have not experienced any material cybersecurity incidents and the expenses we have incurred from cybersecurity incidents were immaterial.

Cybersecurity Governance

Cybersecurity is an important part of our overall risk management processes and an area of focus for our Board and management. Our Audit Committee of the Board oversees our cybersecurity risk and receives reports from our SVP, Information Technology on a quarterly basis. This includes existing and new cybersecurity risks, status on how management is addressing and/or

92


 

mitigating those risks, cybersecurity and data privacy incidents (if any), status on key information security initiatives, industry trends, and other areas of importance.

We have also established an information technology management committee which is led by our SVP, Information Technology, Chief Financial Officer, and Chief Legal Officer. The members of this committee are informed about and monitor the prevention, mitigation, detection, and remediation of cybersecurity incidents through their management of, and participation in, the cybersecurity risk management and strategy processes described above, including the operation of our incident response plan.