Neurogene Inc. - (NGNE)
10-K Filing Date: March 18, 2024
Item 1C: Cybersecurity
We recognize the critical importance of developing, implementing, and maintaining robust cybersecurity measures to maintain the security, confidentiality, integrity, and availability of our business systems and confidential information, including personal information and intellectual property. To this end, we have implemented processes designed to assess, identify, and manage risks from potential unauthorized occurrences on or through our information technology systems that may result in adverse effects on the confidentiality, integrity, and availability of these systems and the data residing therein. These processes are managed and monitored by a hybrid information technology team consisting of Managed Services and Managed Security Services partners, which is led by our head of information technology, and include mechanisms, controls, technologies, systems, and other processes designed to prevent or mitigate data loss, theft, misuse, or other security incidents or vulnerabilities affecting the data. For example, we conduct annual penetration and vulnerability testing, periodic data recovery testing, internal security audits, and ongoing risk assessments, including due diligence on our key vendors. We also conduct, and track completion of, regular and event-driven employee trainings on cyber, phishing, spam, and information security, among other topics. In addition, we consult with outside advisors and experts on a regular basis to assist with assessing, identifying, and managing cybersecurity risks, including to anticipate future threats and trends, and their impact on our risk environment.
89
We consider cybersecurity, along with other significant risks that we face, within our overall enterprise risk management framework. In August 2023, we discovered that we had been subjected to a business email compromise attack by a third party, resulting in a loss of $0.9 million due to a diversion of payments to two fraudulent bank accounts ($0.7 million of which has been recovered). We recently deployed, and intend to continue to extend our cybersecurity capabilities, with advanced cybersecurity technology, processes and resources, that are designed to help enable us to actively identify, protect, detect, respond to, and recover from risks and threats, but nonetheless we face certain ongoing cybersecurity risk threats that, if realized, are reasonably likely to materially affect us. Additional information on cybersecurity risks we face is discussed in Part I, Item 1A, “Risk Factors,” under the heading “Risks Related to Our Business and Operations.”
Our Executive Director of IT, who reports into the finance organization, has over 25 years of experience managing information technology and cybersecurity matters. He works collaboratively with outside consultants, including our Managed Services and Managed Security Services partners, to protect our information systems from cybersecurity threats and to promptly respond to any cybersecurity incidents. He provides regular updates to the President and Chief Financial Officer regarding our efforts to monitor the prevention, detection, mitigation and remediation of cybersecurity threats.
The Board of Directors, as a whole and at the committee level, has oversight for the most significant risks facing us and for our processes to identify, prioritize, assess, manage, and mitigate those risks. The Audit Committee, which is comprised solely of independent directors, has been designated by our Board of Directors to oversee cybersecurity risks. The Audit Committee will receive regular updates on cybersecurity and information technology matters and related risk exposures from our President and Chief Financial Officer. The Board of Directors also receives updates from management and the Audit Committee on cybersecurity risks on at least an annual basis.