NextCure, Inc. - (NXTC)

10-K Filing Date: March 21, 2024
Item 1C. Cybersecurity

In the ordinary course of our business, we collect, maintain and transmit large amounts of confidential information in digital form, including intellectual property, proprietary business information, financial information, personal information, protected health information and data to comply with cGMP and data integrity requirements. It is critical that we do so in a secure manner to maintain data security and data integrity of such information. We have established physical, electronic and organizational measures to safeguard and secure our systems to prevent a data compromise. We have also outsourced elements of our information technology infrastructure and data security processes to a number of expert qualified third-party vendors to help us stay current with data and electronic information security best practices.

We have implemented processes designed to identify, review and manage risks from potential data breaches, unauthorized occurrences, and other information security losses on or through our information technology systems that could result in adverse effects on the confidentiality, integrity, and availability of our systems and electronic information. These processes are managed and monitored by our information technology (IT) team as managed by our Chief Operating Officer, or “COO”. Our COO has experience in overseeing our cybersecurity and information technology programs. We rely heavily on information technology consultants for advice and expertise on monitoring evolving industry standards and to monitor our compliance with applicable policies. Our processes include mechanisms, controls, technologies, and systems designed to prevent or mitigate data loss, theft, misuse, or other security incidents or vulnerabilities affecting the data and maintain a stable information technology environment. With the assistance of our third-party vendors, we conduct regular penetration and vulnerability testing, security audits, and ongoing risk assessments. Our internal information technology team conducts due diligence on key technology vendors, contractors and suppliers. We also conduct periodic employee training on cyber and information security, among other topics, and conduct internal false flag and/or phishing campaigns to identify any employees that might need additional training.

73

Our COO, together with our internal IT team, are responsible for assessing and managing cybersecurity risks. They review at least quarterly with our expert advisors our cybersecurity measures and procedures in view of the Company’s cybersecurity risks to anticipate future threats and trends, and determine whether and how to adjust our strategies and processes accordingly. During the year ended December 31, 2023, we did not identify risks from known cybersecurity threats, including as a result of any prior cybersecurity incidents, that have materially affected us, but we face certain ongoing cybersecurity risks or threats that, if realized, are reasonably likely to materially affect us. Additional information on cybersecurity risks we face is discussed in Part I, Item 1A, “Risk Factors,” under the heading “We depend on data and our information technology systems, and any failure of these systems could harm our business. Security breaches, loss of data, and other disruptions could compromise sensitive information related to our business or prevent us from accessing critical information and expose us to liability, which could adversely affect our business, results of operations and financial condition.”

The Board of Directors, with the assistance of the Audit Committee, has oversight for the most significant risks facing us and for our processes to identify, prioritize, assess, manage, and mitigate those risks. As part of its oversight responsibilities, the Audit Committee receives regular updates on cybersecurity and information technology matters and related risk exposures from our COO. The Board also receives updates from the Audit Committee on cybersecurity risks on at least an annual basis.