SERA PROGNOSTICS, INC. - (SERA)
10-K Filing Date: March 20, 2024
Item 1C. Cybersecurity
Cybersecurity
We recognize the critical importance of maintaining the trust and confidence of stakeholders toward our business and are committed to protecting the confidentiality, integrity, and availability of our business operations and systems. Our board of directors is actively involved in oversight of our risk management activities, and cybersecurity represents an important element of our overall approach to risk management. Our cybersecurity policies, standards, processes, and practices are based on recognized frameworks established by the National Institute of Standards and Technology, or NIST, and other applicable industry standards. In general, we seek to address cybersecurity risks through a comprehensive
79
approach that is focused on preserving the confidentiality, security, and availability of the information that we collect and store by identifying, preventing, and mitigating cybersecurity threats and effectively responding to cybersecurity incidents when they occur.
Cybersecurity Risk Management and Strategy; Effect of Risk
We face risks related to cybersecurity such as unauthorized access, cybersecurity attacks and other security incidents, loss of data, and misappropriation of confidential information. To identify and assess material risks from cybersecurity threats, we maintain a comprehensive cybersecurity program to ensure our systems are effective and prepared for information security risks, including regular oversight of our programs for security monitoring for internal and external threats to ensure the confidentiality and integrity of our information assets. We consider risks from cybersecurity threats alongside other company risks as part of our overall risk assessment process. We employ a range of tools and services, including third-party real-time risk assessments of cyber assets and mitigation of security risks, data loss prevention, regular air-gapped backups, continuous monitoring and threat response, advanced firewall systems, and security information and event management. As discussed in more detail under “Cybersecurity Governance” below, our audit committee provides oversight of our cybersecurity risk management and strategy processes, which are led by our Chief Information Officer.
We also identify our cybersecurity threat risks by comparing our processes to standards set by NIST. To provide for the availability of critical data and systems, maintain regulatory compliance, manage our material risks from cybersecurity threats, and protect against and respond to cybersecurity incidents, we undertake the following activities:
•monitor emerging data protection best practices and laws and implement changes to our processes that are designed to comply with such;
•annual HIPAA security and privacy risk assessments performed with third party provider, as well as annual HIPAA compliance audits;
•through our policies, practices and contracts (as applicable), require employees, as well as third parties that provide services on our behalf, to treat confidential information and data with care;
•employ technical safeguards that are designed to protect our information systems from cybersecurity threats, including advanced firewall systems, endpoint detection and response, data loss prevention, regular air-gapped backups, and security information and event management, which are evaluated and improved through third-party real-time risk assessments and mitigation of security risks;
•provide regular, mandatory training for our employees and contractors regarding cybersecurity threats as a means to equip them with effective tools, information and education to recognize and address cybersecurity threats;
•conduct regular phishing email simulations for all employees and contractors with access to our email systems to enhance awareness and responsiveness to possible threats;
•leverage the NIST incident handling framework to help us identify, protect, detect, respond and recover when there is an actual or potential cybersecurity incident;
•carry and maintain information security risk insurance that provides protection against the potential losses arising from a cybersecurity incident; and
•document internal policies and procedures for cybersecurity incident response and recovery.
Our incident response plan coordinates the activities we take to prepare for, detect, respond to, and recover from cybersecurity incidents, which include processes to triage, assess severity for, escalate, contain, investigate and remediate the incident, as well as to comply with potentially applicable legal obligations and mitigate damage to our business and reputation.
80
Our policies and processes also address cybersecurity threat risks associated with our use of third-party service providers. In addition, cybersecurity considerations affect the selection and oversight of our third-party service providers. We perform diligence on third parties that have access to our data to ensure they have adequate cybersecurity safeguards in place and continually monitor cybersecurity threat risks identified through such diligence.
We describe whether and how risks from identified cybersecurity threats, including as a result of any previous cybersecurity incidents, have materially affected or are reasonably likely to materially affect us, including our business strategy, results of operations, or financial condition, under the heading “Security breaches, losses of data, and other disruptions could compromise sensitive information related to our business or prevent us from accessing critical information and expose us to liability, which could adversely affect our business and reputation,” which disclosures are incorporated by reference herein.
Cybersecurity Governance; Management
Cybersecurity is an important part of our risk management processes and an area of focus for our board of directors and management. The audit committee of our board of directors is responsible for the oversight of risks from cybersecurity threats.
At least annually, our audit committee receives an update from management of our cybersecurity threat risk management and strategy processes covering topics such as data security, results from third-party assessments, our incident response plan, and material cybersecurity threat risks or incidents and developments, as well as the steps management has taken to respond to such risks. In such sessions, our audit committee generally receives materials that include a cybersecurity scorecard and other materials discussing current and emerging material cybersecurity threat risks, and describing our ability to mitigate those risks, as well as recent developments, evolving standards, and information security considerations arising with respect to our peers and third parties. The audit committee discusses such matters with our Chief Information Officer.
Our cybersecurity risk management and strategy processes, which are discussed in greater detail above, are led by our Chief Information Officer and the information technology team. Such individuals have extensive experience in various roles, including in other publicly traded companies, involving managing information security, developing cybersecurity strategy, and implementing effective information and cybersecurity programs. These management team members monitor the prevention, mitigation, detection, and remediation of cybersecurity incidents through their management of the cybersecurity risk management and strategy processes described above, including the operation of our incident response plan. As discussed above, these management team members report to the audit committee of our board of directors about cybersecurity threat risks, among other cybersecurity related matters, at least annually.