Tenaya Therapeutics, Inc. - (TNYA)

10-K Filing Date: March 18, 2024
Item 1C. Cybersecurity

Risk Management and Strategy

We have established policies and processes for assessing, identifying, and managing material risk from cybersecurity threats, and have integrated these processes into our overall risk management systems and processes. In collaboration with our external vendors specializing in cybersecurity management, we routinely assess material risks from cybersecurity threats, including any potential unauthorized access to our information systems that could result in adverse effects on the confidentiality, integrity, or availability of our information systems or any information residing therein.

We conduct periodic risk assessments to identify cybersecurity threats, as well as assessments of planned material changes in our business practices that may affect information systems that are vulnerable to such cybersecurity threats. These risk assessments include identification of reasonably foreseeable internal and external risks, the likelihood and potential damage that could result from such risks, and the sufficiency of existing policies, procedures, systems, and safeguards in place to manage such risks.

Following these risk assessments, we re-design, implement, and maintain reasonable safeguards to minimize identified risks; reasonably address any identified gaps in existing safeguards; and regularly monitor the effectiveness of our safeguards. In consideration of the size and complexity of our business, we devote appropriate internal and external resources to manage material risks from cybersecurity threats. We also designate senior-level personnel, including our Vice President, Information Technology who reports to our Chief Financial and Business Officer, to manage the risk assessment and mitigation process and to closely coordinate with our General Counsel on applicable regulatory obligations.

As part of our overall risk management system, we monitor and test our safeguards and train our employees on these safeguards. Personnel at all levels and departments are made aware of our cybersecurity policies through required policy review and trainings at the time of hire and periodically during their employment with us.

We engage consultants, auditors, or other third parties in connection with our risk assessment processes. These professionals assist us in the design and implementation of our cybersecurity policies and procedures, as well as to monitor and test our safeguards. In addition, in order to mitigate cybersecurity risks associated with our use of third-party service providers, we require certain third-party service providers to certify that they have the ability to implement and maintain appropriate security measures, consistent with all applicable laws, to implement and maintain reasonable security measures in connection with their work with us, and to promptly report any suspected breach of its security measures that may affect our company.

For additional information regarding whether any risks from cybersecurity threats, including as a result of any previous cybersecurity incidents, have materially affected or are reasonably likely to materially affect our company, including our business strategy, results of operations, or financial condition, please refer to Item 1A, “Risk Factors,” in this annual report on Form 10-K, including the risk factors entitled “Our computer systems, or those of any of our CROs, manufacturers, contractors, consultants or other third parties or potential future collaborators, may fail or suffer security incidents or data privacy breaches or other unauthorized or improper access to, use of, or destruction of our proprietary or confidential data, employee data, or personal data, which could result in additional costs, loss of revenue, significant liabilities, harm to our brand and material disruption of our operations.”

Governance

One of the key functions of our board of directors (our “Board”) is informed oversight of our risk management process, including risks from cybersecurity threats. Our Board is responsible for monitoring and assessing strategic risk exposure, and our executive officers are responsible for the day-to-day management of the material risks we

87


 

face. Our Board administers its cybersecurity risk oversight function directly as a whole, as well as through the Audit Committee.

Our Vice President, Information Technology, along with the members of our Incident Response Team, which includes our Chief Financial and Business Officer and our General Counsel, are primarily responsible to assess and manage our material risks from cybersecurity threats. Our Incident Response Team is supported by an experienced managed service provider and an incident response provider with extensive global cybersecurity expertise, who both monitor, assess and report threats to us. Additionally, our Vice President, Information Technology has over twenty years of experience operating in the information technology, security and cybersecurity space. In particular, he has experience with cybersecurity assessment and prevention, incident responses, breach notifications and remediation.

Our Vice President, Information Technology oversees our cybersecurity policies and processes, including those described in “Risk Management and Strategy” above and, along with and informed by the Information Technology organization and our Incident Response Team, monitors the prevention, detection, mitigation, and remediation of cybersecurity incidents. Depending on the severity of the security incident, the Incident Response Team will report the security incident to our Audit Committee, including the financial impact of the security incident and any regulatory violations. As our Information Technology organization monitors the security and effectiveness of our policies and procedures, they also work to keep the Vice President, Information Technology and other members of leadership informed of critical incidents, process updates, or other material details, in accordance with our internal reporting structure.

Our Vice President, Information Technology provides an annual briefing to the Audit Committee regarding our company’s cybersecurity risks and activities, including the status of cybersecurity system development, company-wide cybersecurity training programs, material changes to the cybersecurity system, policies or practices, any recent cybersecurity incidents and related responses, cybersecurity systems testing and engagement of third-party service providers in support of our cybersecurity system. Special meetings may also be called with the Audit Committee to brief the members on any material cybersecurity incidents and related responses thereto. Subsequent to such briefings, our Audit Committee will provide an update to the Board on such reports. In addition, the Board will receive periodic updates in meeting materials or directly from our Chief Financial and Business Officer on cybersecurity risks and activities.