Pyxis Oncology, Inc. - (PYXS)
10-K Filing Date: March 21, 2024
Risk Management and Strategy
We take a risk-based approach in implementing and maintaining various information security processes designed to identify, assess and manage material risks from cybersecurity threats to our critical computer networks, third party hosted services, communications systems, hardware and software, and our critical data, including intellectual property, confidential information that is proprietary, strategic or competitive in nature, and information related to our clinical trials, products in development, and proprietary technologies (“IT Systems and Data”).
Our information security function, supported by members of our IT department and our third-party IT service providers, helps identify, assess and manage our cybersecurity threats and risks. This team helps to identify and assess risks from cybersecurity threats by monitoring and evaluating our threat environment using various methods including, for example: automated tools, subscribing to reports and services that identify cybersecurity threats and analyzing such reports of threats and actors, conducting scans of our threat environment, evaluating threats reported to us, conducting vulnerability assessments, and working with third parties to conduct certain tests of our environment.
Depending on the environment and systems, we implement and maintain various technical, physical, and organizational measures, processes, standards and policies designed to manage and mitigate material risks from cybersecurity threats to our IT Systems and Data, including, for example: incident detection and response procedures; an incident response policy; a disaster recovery plan; conducting risk assessments; maintaining network security controls, encrypting certain of our data; maintaining access and physical security controls; systems monitoring; assessing vendor risk; employee training; and maintaining cybersecurity insurance.
The cybersecurity risk management and mitigation measures we implement for certain of our IT Systems and Data including for example (1) cybersecurity risk is addressed as a component of our enterprise risk management assessment processes; (2) the information security function works with senior management to prioritize our risk management processes and mitigate cybersecurity threats that are more likely to lead to a material impact to our business; (3) our senior management evaluates material risks from cybersecurity threats against our overall business objectives and reports to the Audit Committee of the Board, which evaluates our overall enterprise risk, (4) policies and procedures to manage how Information Systems and Data are collected, maintained and stored, (5) communicating with and training personnel on cybersecurity risks and trends.
We use third-party service providers to assist us from time to time to identify, assess, and manage material risks from cybersecurity threats.
For a description of the risks from cybersecurity threats that may materially affect us and how they may do so, see our risk factors under Part I. Item 1A. Risk Factors in this Annual Report on Form 10-K, including “Our internal computer systems, or those of any of our existing or future CROs, manufacturers, other contractors, consultants, or collaborators, may fail or suffer security or data privacy breaches or other unauthorized or improper access to, use of or destruction of our proprietary and confidential data, employee data or personal data, which could result in additional costs, significant liabilities, harm to our reputation and material disruption of our operations.”
Governance
Our Board of Directors, or Board, addresses our cybersecurity risk management as part of its general oversight function. The Audit Committee of the Board is responsible for overseeing our cybersecurity risk management processes, including oversight and mitigation of risks from cybersecurity threats. The Audit Committee receive scheduled updates from senior management. The Audit Committee also receives various reports, summaries or presentations related to cybersecurity threats, risk and mitigation.
Our Chief Financial Officer, or CFO, is primarily responsible for assessing and managing cybersecurity risks across the company based on the assessments by our Senior Director of IT and third-party IT specialists. Additionally, our cybersecurity risk assessment and management processes are implemented and maintained by our Senior Director of IT with assistance from third-party IT specialists. Our CFO has extensive experience managing risks at our company and at similar companies in the past, including risks arising from cybersecurity threats. Our Senior Director of IT has over 25 years of experience in IT security, and data analytics.
Our CFO is responsible for approving budgets and our Senior Director of IT is responsible for preparing for cybersecurity incidents, approving cybersecurity processes, and conducting regular reviews of security assessments and other security-related reports.
Our cybersecurity incident response is designed to escalate certain cybersecurity incidents to members of management. In addition, our cybersecurity incident response and vulnerability management policies and procedures include reporting to the Audit Committee of the Board for certain cybersecurity incidents.
98