Bolt Biotherapeutics, Inc. - (BOLT)
10-K Filing Date: March 21, 2024
Risk Management and Strategy
We have implemented and maintain various information security processes designed to identify, assess and manage material risks from cybersecurity threats to our critical computer networks, third-party hosted services, communications systems, hardware and software, and our critical data (such as information related to our product candidate development, collaboration activities and clinical trials), including intellectual property, confidential information that is proprietary, strategic or competitive in nature, and sensitive personnel data and other personal data (collectively, “Information Systems and Data”).
Our information technology department, supported by certain service providers, identifies, assesses and manages the Company’s cybersecurity threats and risks. Our information technology department (led by our Director of IT Operations and Security), identifies and assesses risks from cybersecurity threats by monitoring and evaluating our threat environment using various methods including, for example, real-time monitoring of network events, subscribing to reports and services that identify cybersecurity threats, evaluating threats and actors reported to us, conducting scans of the threat environment, evaluating our and our industry’s risk profile, coordinating with law enforcement concerning threats when appropriate, conducting (and working with third parties, as appropriate) assessments and audits for internal and external threats and vulnerabilities, and using of external intelligence feeds.
71
We implement and maintain various technical, physical, and organizational measures, processes, and policies, designed to manage and mitigate material risks from cybersecurity threats to our Information Systems and Data, including, for example, an incident detection and response plan; vulnerability management processes; risk assessments; implementation of security standards; encryption of certain data; network security controls; segregation of certain data; access controls including multi-factor authentication for certain Information Systems and Data; physical security; asset management, tracking and disposal; systems monitoring; vendor risk management program; employee training; penetration testing; and cybersecurity insurance. Our assessment and management of material risks from cybersecurity threats is integrated into the Company’s overall risk management processes. For example, our information technology department presents updates on our IT environment and cybersecurity threats to the audit committee of the board of directors, which evaluates our overall enterprise risk and the effectiveness of our risk management approaches.
We use service providers to assist us from time to time to identify, assess, and manage material risks from cybersecurity threats. Such providers include but are not limited to legal counsel, threat intelligence service providers, cybersecurity consultants, cybersecurity software providers, managed security service providers, and penetration testing firms.
We use service providers to perform a variety of functions throughout our business, such as application providers, hosting companies, contract research organizations, contract manufacturing organizations, distributors, and supply chain resources. We have a vendor management program designed to manage cybersecurity risks associated with our use of certain of these providers. The program includes a risk assessment for certain vendors that host our Information Systems and Data. For vendors who host our critical data, we have processes designed to assess the vendor’s ability to support business continuity and disaster recovery. Where appropriate, we conduct security questionnaires and a review of vendors’ security. This review may include reviewing program documentation, security reports and audits, conducting security assessment calls with the vendor's security personnel, and imposing information security-related contractual obligations on the vendor. We also request data privacy assessments from certain vendors as appropriate. Depending on the nature of the services provided, the sensitivity of the Information Systems and Data at issue, and the identity of the provider, our vendor management process may involve different levels of assessment designed to help identify cybersecurity risks associated with a provider.
For a description of the risks from cybersecurity threats that may materially affect the Company and how they may do so, please see the risk factor in Part 1. Item 1A, including the risk factor entitled “Our internal computer systems, or those used by our CROs or other contractors or consultants, may fail or experience security breaches or other unauthorized or improper access.”
Governance
Our board of directors addresses the Company’s cybersecurity risk management as part of its general oversight function. The board of directors’ audit committee is responsible for overseeing Company’s cybersecurity risk management processes, including oversight of mitigation of risks from cybersecurity threats.
Our cybersecurity risk assessment and management processes are implemented and maintained by certain Company management, including our Director of IT Operations and Security, Senior Director of IT, and Chief Financial Officer.
Our Director of IT Operations and Security and Senior Director of IT are responsible for hiring appropriate personnel, helping to integrate cybersecurity risk considerations into the Company’s overall risk management strategy, reviewing security assessments and other security-related reports, and communicating key priorities to relevant personnel. For example, our Director of IT Operations and Security holds a Master of Science in information security and assurance, holds relevant certifications such as Certified Ethical Hacker, Computer Hacking Forensics Investigator, Security+ and Network+, and has worked for approximately nine years in the field of cybersecurity. Our Senior Director of IT has 25 years of IT management experience at various public biotechnology companies. Our Chief Financial Officer is responsible for helping prepare budgets, helping prepare for cybersecurity incidents, and approving certain cybersecurity processes.
Our cybersecurity incident response and vulnerability management processes are designed to escalate certain cybersecurity incidents to members of management depending on the circumstances, including our Chief Financial Officer. Our Chief Financial Officer receives regular reports on the status of our cybersecurity measures, and works with the Company’s incident response team in an effort to help the Company mitigate and remediate cybersecurity incidents of which they are notified, and to assess and determine materiality for reporting purposes.
The audit committee receives periodic written and verbal reports from our Chief Financial Officer and directly from the information technology department concerning the Company’s significant cybersecurity threats and risk and the processes the Company has implemented that are intended to address them. The audit committee also receives from the Director of IT Operations and Security or the Senior Director of IT, various written reports, summaries or presentations related to
72
cybersecurity threats, risk, and mitigation.