SYNLOGIC, INC. - (SYBX)

10-K Filing Date: March 19, 2024
Item 1C. Cybersecurity.

We recognize the critical importance of maintaining the trust and confidence of patients, business partners and employees toward our business and are committed to protecting the confidentiality, integrity and availability of our business operations and systems. Our board of directors is actively involved in oversight of our risk management activities, and cybersecurity represents an important element of our overall approach to risk management. In general, we seek to address cybersecurity risks through a cross-functional approach that is focused on preserving the confidentiality, security and availability of the information that we collect and store by identifying, preventing and mitigating cybersecurity threats and effectively responding to cybersecurity incidents when they occur.

Cybersecurity Risk Management and Strategy; Effect of Risk

We face risks related to cybersecurity such as unauthorized access, cybersecurity attacks and other security incidents, including as perpetrated by hackers and unintentional damage or disruption to hardware and software systems, loss of data, and misappropriation of confidential information. To identify and assess material risks from cybersecurity threats, we maintain a comprehensive cybersecurity program and work with a third party managed service provider to ensure our systems are effective and prepared for information security risks, including regular oversight of our programs for security monitoring for internal and external threats to ensure the confidentiality and integrity of our information assets. We consider risks from cybersecurity threats alongside other company risks as part of our overall risk assessment process. We and our third-party partners employ a range of tools and services, including regular network and endpoint monitoring and protection, audits, vulnerability assessments, and penetration testing, to inform our risk identification and assessment. As discussed in more detail under “Cybersecurity Governance” below, our audit committee provides oversight of our cybersecurity risk management and strategy processes, which are led by our Chief Operating Officer.

We also identify our cybersecurity threat risks by using the services of a managed services provider. To provide for the availability of critical data and systems, maintain regulatory compliance, manage our material risks from cybersecurity threats, and protect against and respond to cybersecurity incidents, we undertake the following activities:

monitor as appropriate emerging data protection laws and industry literature and implement changes to our processes that are designed to comply with such laws if needed;
through our policies, practices and contracts (as applicable), require employees, as well as third parties that provide services on our behalf, to treat confidential information and data with care;
employ technical safeguards that are designed to protect our information systems from cybersecurity threats, including redundant firewalls, intrusion prevention and detection systems, multi-factor authentication, encryption, anti-malware functionality and access controls;
provide annual and routine mandatory training utilizing Knowbe4 (leading security awareness training module) for our employees and contractors regarding cybersecurity threats as a means to equip them with effective tools to address cybersecurity threats, and to communicate our evolving information security policies, standards, processes and practices;
conduct phishing email simulations for employees and contractors with access to our email systems to enhance awareness and responsiveness to possible threats;

75


utilize a managed services provider to help us identify, protect, detect, respond and recover when there is an actual or potential cybersecurity incident; and
carry information security risk insurance that provides protection against the potential losses arising from a cybersecurity incident

Our incident response plan coordinates the activities we, in concert with our third party managed services provider, take to prepare for, detect, respond to and recover from cybersecurity incidents, which include processes to triage, assess severity for, escalate, contain, investigate and remediate the incident, as well as to comply with potentially applicable legal obligations and mitigate damage to our business and reputation.

Our processes also address cybersecurity threat risks associated with our use of third-party service providers, including our suppliers and manufacturers or who have access to patient and employee data or our systems. In addition, cybersecurity considerations affect the selection and oversight of our third-party service providers. We perform diligence on third parties that have access to our systems, data or facilities that house such systems or data, including through vendor security questionnaires as appropriate.

We describe whether and how risks from identified cybersecurity threats, including as a result of any previous cybersecurity incidents, have materially affected or are reasonably likely to materially affect us, including our business strategy, results of operations, or financial condition, under the heading “Our internal computer systems, or those of our collaborators or other contractors or consultants, may fail or suffer cybersecurity incidents, which could result in a material disruption of our product development programs,” which disclosures are incorporated by reference herein. In the last three fiscal years, we have not experienced any material cybersecurity incidents.

Cybersecurity Governance; Management

Cybersecurity is an important part of our risk management processes and an area of focus for our board of directors and management. Our board of directors executes its oversight responsibility for risk management both directly and through delegating oversight of certain of these risks to its committees, and our board of directors has authorized our audit committee to oversee risks from cybersecurity threats.

At least annually and on a periodic basis, our audit committee receives an update from management on our cybersecurity threat risk management and strategy processes and generally receives materials on our ability to mitigate current and emerging risks, and discusses such matters with our Chief Operating Officer. Our processes require that our audit committee is designated to receive prompt and timely information regarding any cybersecurity incident that meets establishing reporting thresholds, as well as ongoing updates regarding any such incident until it has been addressed.

Our cybersecurity risk management and strategy processes, which are discussed in greater detail above, are led by our Chief Operating Officer. This individual has over twenty years of prior work experience in various roles involving managing information security, developing cybersecurity strategy, implementing effective information and cybersecurity programs. The Chief Operating Officer, along with the Company’s managed services provider, are informed about and monitor the prevention, mitigation, detection, and remediation of cybersecurity incidents through their management of, and participation in, the cybersecurity risk management and strategy processes described above, including the operation of our incident response plan. As discussed above, the Chief Operating Officer reports to the audit committee of our board of directors about cybersecurity threat risks, among other cybersecurity related matters, at least annually.