X4 Pharmaceuticals, Inc - (XFOR)
10-K Filing Date: March 21, 2024
ITEM 1C. CYBERSECURITY
Cybersecurity Risk Management and Strategy
Our management recognizes the impact that cybersecurity threats could have on our business operations, our compliance with regulations, and our reputation. We have identified cybersecurity as a critical business risk as part of our overall risk management strategy, which our board of directors oversees.
66
We have implemented a cybersecurity program in accordance with our risk profile and business that includes, among other things, written policies, monitoring and filtering procedures, and employee training. We have also developed an incident response policy and procedure designed to facilitate the timely reporting and assessment of cybersecurity incidents.
Our cybersecurity risk management program, which is part of our enterprise risk management program, aims to identify risks related to the Company, including risks from cybersecurity threats. Our cybersecurity risk management program includes a number of components, including informal self-assessments and audits, penetration testing, and vulnerability assessments, that are conducted periodically by both internal and external resources. The Company also analyzes current and emerging cyber threats that pose a risk to the organization using various threat intelligence tools and services.
As part of our cybersecurity risk management program, we take a risk-based approach to the evaluation of third-party vendors, and apply mitigations and processes based on our evaluation of the sensitivity of the data accessed by the vendor and the maturity of the vendor’s programs. Our vendor evaluation procedures include, as appropriate, the review of vendors’ SOC 2 Type 2 reports if available, and a vendor security questionnaire. We are in the process of expanding the use of the security questionnaire to additional vendors.
Governance Related to Cybersecurity Risks
Our director of information technology (“Director of IT”) is responsible for the strategic leadership and direction of the Company’s information technology organization. The Director of IT has helped organizations define and implement information technology strategies for over twenty years. Prior to joining the Company, he served in senior information technology roles for several biotechnology companies. Along with members of our finance, legal, and operations teams, the Director of IT sits on a newly-formed cyber subcommittee (“subcommittee”). The subcommittee reports to the Chief Operating Officer (“COO”) and Chief Financial Officer (“CFO”), and outputs from the Committee are provided by the COO and CFO to the Company’s executive team and the board.
The board is responsible for informed oversight of our risk management process. The board administers this oversight function through various board standing committees that address risks inherent in their respective areas of oversight. The board has delegated oversight for cybersecurity risk management to the Audit Committee. The Audit Committee reviews the Company’s policies and procedures with respect to cybersecurity risk management.
Although risks from cybersecurity threats have to date not materially affected us, our business strategy, results of operations or financial condition, we have, from time to time, experienced threats to and breaches of our and our third-party vendors’ data and systems. For more information, see Item 1A. Risk Factors. The pharmaceutical industry is highly competitive and is subject to rapid and significant technological change, which could render our technologies and products obsolete or uncompetitive.