Armata Pharmaceuticals, Inc. - (ARMP)

10-K Filing Date: March 21, 2024
Item 1C. Cybersecurity

Cybersecurity Risk Management and Strategy

We recognize the importance of assessing, identifying, and managing material risks associated with cybersecurity threats, as such term is defined in Item 106(a) of Regulation S-K. These risks include operational risks, intellectual property or trade secret theft, improper disclosure of confidential information, fraud, extortion, harm to employees or customers, and violation of data privacy or security laws.

Cybersecurity risks related to our business, technical operations, privacy, and compliance issues are identified and addressed through a multi-faceted approach including third-party assessments, internal information technology (“IT”)

63

audits, and IT security reviews. To defend, detect, and respond to cybersecurity incidents, we perform cybersecurity reviews of systems and applications; audits of applicable data policies; vulnerability assessments and penetration testing using external third-party tools to test security control; security incident and event management; continuous monitoring, and threat intelligence gathering; conduct employee training; and implement appropriate changes.

We leverage third-party expertise to audit and test our cybersecurity program and perform employee awareness training. These include periodic reviews of cybersecurity threats and related controls, including review of periodic penetration testing conducted by independent third parties.

We maintain a cyber liability insurance plan underwritten by multiple insurance companies, which provides protection against certain potential losses arising from cybersecurity incidents.

Security events and data incidents are evaluated, ranked by severity, and prioritized for response and remediation. Incidents are evaluated to determine materiality as well as operational and business impact, and reviewed for privacy impact.

Our business strategy, results of operations and financial condition have not been materially affected by risks from cybersecurity threats, including as a result of previously identified cybersecurity incidents, but we cannot provide assurance that they will not be materially affected in the future by such risks or any future material incidents. For more information on our cybersecurity related risks, see Item 1A Risk Factors of this Annual Report on Form 10-K.

Cybersecurity Governance

Cybersecurity is an important part of our risk management processes and an area of focus for our Board of Directors and management. Our Board of Directors delegated oversight of Cybersecurity to the Audit Committee. Our board members receive reports and presentations on data privacy and security, which address relevant cybersecurity issues, and which can span a wide range of topics, including but not limited to, recent developments, evolving standards, vulnerability assessments, review of risks from third parties such as service providers and suppliers, and the current threat environment. These updates are presented by IT third-party experts, finance, and legal departments. Our board members also engage in ad hoc conversations with management on cybersecurity-related news events and updates to our cybersecurity risk management and strategy programs.

The Audit Committee’s cybersecurity-related oversight includes the following:

Receiving notice of, and providing guidance with respect to, material cybersecurity incidents;
Reviewing our risks and cybersecurity programs and policies;
Overseeing our management and mitigation of cybersecurity risks and potential breach incidents;
Reviewing reports and key metrics on the Company’s cybersecurity and related risk management programs;
Reviewing the progress of major technology-related proposals, plans, projects and architecture decisions to ensure that these projects and decisions support our overall business strategy.

Our management engages with third-party experts who have significant IT expertise and broad cybersecurity experience, including in cybersecurity threat management, cybersecurity training and education, incident response, cyber forensics, insider threats, business continuity and disaster recovery, and regulatory compliance. Such individuals have significant prior work experience in various roles involving IT security, auditing, compliance, systems, and programming. These individuals are informed about and monitor the prevention, mitigation, detection, and remediation of cybersecurity incidents and design.

64