Alto Neuroscience, Inc. - (ANRO)

10-K Filing Date: March 21, 2024
Item 1C. Cybersecurity.

Risk Management and Strategy

We have implemented and maintain various information security processes designed to identify, assess, and manage material risks from cybersecurity threats to our critical computer networks, third party hosted services, communications systems, hardware and software, and our critical data, including intellectual property, confidential information that is proprietary, strategic or competitive in nature, employee personal information, and clinical trial data, or Information Systems and Data.

We leverage a third party service provider under the direction of our Chief Financial Officer, or CFO, to help management identify, assess and manage our cybersecurity threats and risks. With the assistance of our third-party service provider, we identify and assess risks from cybersecurity threats by monitoring and evaluating our threat environment and our risk profile using various methods including, for example, automated tools for ransomware and virus protection, identity verification tools aimed at ensuring authorized environment access, and ongoing vulnerability assessments.

Depending on the environment and system, we implement and maintain various technical, physical, and organizational measures and processes designed to manage and mitigate material risks from cybersecurity threats to our Information Systems and Data, including, for example: data encryption for certain data, network security controls, data segregation for certain data, access controls, physical security controls, monitoring for certain systems, asset management and tracking, and employee training. We also maintain cybersecurity insurance.

Our assessment and management of material risks from cybersecurity threats are taken into account in our overall risk management processes. For example, we evaluate identified material risks from cybersecurity threats against our overall business objectives and will report material risks, if identified, to the audit committee of the board of directors, which evaluates our overall enterprise risk.

We use third-party service providers to assist management to identify, assess, and manage material risks from cybersecurity threats, including for example, a managed security provider and professional services firms, including outside legal counsel.

We use third-party service providers to perform a variety of functions throughout our business, including, for example, application providers, hosting companies, contract research organizations, and contract manufacturing organizations. We have certain vendor management processes to help manage cybersecurity risks associated with our use of certain of these providers, and, depending on the nature of the services provided, the sensitivity of the Information Systems and Data at issue, and the identity of the provider, those processes may involve different levels of assessment and risk mitigation measures, including, for example, the imposition of contractual obligations related to cybersecurity on the provider.

For a description of the risks from cybersecurity threats that may materially affect the Company and how they may do so, see the sections titled: “Risk Factors—Risks Related to our Business and Operations—If our telecommunications or information technology systems, or those used by our collaborators, CROs, CMOs, clinical sites, third-party logistics providers, distributors, or other contractors, consultants, or third party service providers upon which we rely, are or were compromised, become unavailable, or suffer security breaches, loss, or leakage of data or other disruptions, we could suffer adverse consequences resulting from such compromise, including but not limited to, operational or service interruption, harm to our reputation, litigation, fines, penalties and liability, compromise of sensitive information related our business, and other adverse consequences.” and “Risk Factors—Risks Related to Government Regulations—Actual or perceived failures to comply with applicable data protection, privacy and security laws, regulations, standards, and other requirements could adversely affect our business, results of operations, and financial condition.”

121

Governance

Our board of directors addresses our cybersecurity risk management as part of its general oversight function. The audit committee of the board of directors is responsible for overseeing our cybersecurity risk management processes, including oversight and mitigation of risks from cybersecurity threats.

Our cybersecurity risk assessment and management processes are implemented and maintained by certain members of Company management, including our CFO, leveraging the expertise of our third party service provider. Our CFO has two years of oversight responsibilities for cybersecurity elements and has been involved in the oversight of the implementation of the Company’s current cybersecurity measures.

Currently, our CFO is responsible for hiring appropriate personnel, managing external third-party providers, helping to integrate cybersecurity risk considerations into our overall risk management strategy, communicating key priorities to relevant personnel, approving budgets, helping prepare for cybersecurity incidents, approving cybersecurity processes, and reviewing security assessments and other security-related reports.

Our cybersecurity incident response processes are designed to escalate certain cybersecurity incidents to members of management depending on the circumstances, including to our CFO. As part of those processes, members of management, including our CFO, would work to help the Company mitigate and remediate cybersecurity incidents of which they are notified. In addition, our incident response processes are designed to report certain cybersecurity incidents to the audit committee of the board of directors.

The audit committee receives periodic reports from management concerning our cybersecurity risks and the processes we have implemented to address them. The audit committee also has access to various reports, summaries or presentations related to cybersecurity threats, risk and mitigation.