ARS Pharmaceuticals, Inc. - (SPRY)
10-K Filing Date: March 21, 2024
Risk management and strategy
We have implemented and maintain various information security processes designed to identify, assess and manage material risks from cybersecurity threats to our critical computer networks, third-party hosted services, communications systems, hardware and software, and our critical data, including intellectual property, and confidential information that is proprietary, strategic or competitive in nature, including clinical trial data (“Information Systems and Data”).
Our Chief Executive Officer supervises our IT department (the “IT Department”), which coordinates with our cybersecurity incident management team, which consists of, among others, our Chief Financial Officer, Chief Legal Officer, Head of IT, and a third-party IT and cybersecurity consultant (“CSI Management Team”) to identify, assess and manage our cybersecurity threats and risks. Members of our IT Department and CSI Management Team identify and assess risks from cybersecurity threats by monitoring and evaluating our threat environment using various methods including, for example manual tools, automated tools, subscribing to reports and services that identify cybersecurity threats, analyzing reports of threats and actors, conducting scans of the threat environment, internal and external audits, conducting threat assessments for internal and external threats, third-party threat assessments, conducting vulnerability assessments to identify vulnerabilities, and evaluating threats reported to us.
Depending on the environment, we implement and maintain various technical, physical, and organizational measures, processes, standards and policies designed to manage and mitigate material risks from cybersecurity threats to our Information Systems and Data, including, for example: a cybersecurity incident response policy; incident detection and response; vulnerability management processes; a disaster recovery and business continuity plan; risk assessments; encryption of certain of our data; network security controls; segregation of certain of our data; access controls; physical security; asset management, tracking and disposal; systems monitoring; vendor risk management processes; employee training; penetration testing; and cybersecurity insurance.
Our assessment and management of material risks from cybersecurity threats are integrated into our overall risk management processes. For example, the IT Department works with the CSI Management Team to prioritize our risk management processes and mitigate cybersecurity threats that are expected to be more likely to lead to a material impact to our business. In addition, our management evaluates material risks from cybersecurity threats against our overall business objectives and reports to the audit committee of the board of directors, which, together with the board of directors, evaluates our overall enterprise risk.
We use third-party service providers to assist us to identify, assess, and manage material risks from cybersecurity threats, including for example: a third-party IT and cybersecurity consultant; professional services firms, including legal counsel; threat intelligence service providers; cybersecurity software providers; managed cybersecurity service providers; penetration testing firms; and dark web monitoring services.
101
We use third-party service providers to perform a variety of functions throughout our business, such as conducting nonclinical and clinical trials; supply and quality testing; development and manufacturing; and professional services firms, including legal counsel. Additionally, we rely on third-party service providers and technologies to operate critical business systems to process sensitive data in a variety of contexts, including, without limitation, cloud-based infrastructure, encryption and authentication technology for certain environments and systems, employee email, and content delivery. Depending on the nature of the services provided, the sensitivity of the Information Systems and Data at issue, and the identity of the provider, our vendor management process may involve different levels of assessment designed to help identify cybersecurity risks associated with a provider, which may include reputational due diligence and vendor risk evaluations.
For a description of the risks from cybersecurity threats that may materially affect us and how they may do so, see our risk factors under Part I, Item 1A. Risk Factors in this Annual Report on Form 10-K, including “Risk Factors—If our information technology systems or data, or those of third parties upon which we rely, are or were compromised, we could experience adverse consequences resulting from such compromise, including but not limited to regulatory investigations or actions; litigation; fines and penalties; disruptions of our business operations; reputational harm; loss of revenue or profits; and other adverse consequences.”
Governance
Our board of directors addresses our cybersecurity risk management as part of its general oversight function. The board of directors’ audit committee is responsible for overseeing our cybersecurity risk management processes, including oversight of risks from cybersecurity threats.
Our cybersecurity risk assessment and management processes are implemented and maintained by certain members of our management, including the CSI Management Team. Certain members of the CSI Management Team are information technology and security professionals, and we also rely on third-party security analysts who have certain certifications related to cybersecurity.
Our Chief Executive Officer, Chief Financial Officer and Chief Legal Officer are responsible for hiring appropriate personnel, helping to integrate cybersecurity risk considerations into our overall risk management strategy, and communicating key priorities to relevant personnel. Additionally, they are responsible for approving budgets, helping prepare for cybersecurity incidents, approving cybersecurity processes, and reviewing security assessments and other security-related reports.
Our cybersecurity incident response policy is designed to escalate certain cybersecurity incidents to members of management depending on the circumstances, including our Chief Executive Officer, Chief Financial Officer, and Chief Legal Officer. These members of management work with our CSI Management Team to help us mitigate and remediate cybersecurity incidents of which they are notified. In addition, our cybersecurity incident response policy includes reporting to the audit committee of our board of directors for certain cybersecurity incidents.
The audit committee periodically reviews and discusses with the appropriate members of our management material risks relating to data privacy, technology and information security, including cybersecurity, threats and back-up of information systems and our processes for assessing, identifying, and managing such risks, as well as our internal controls and disclosure controls and procedures relating to cybersecurity incidents. The board and audit committee are also provided with reports, summaries or presentations related to cybersecurity threats, risk and mitigation.