Allovir, Inc. - (ALVR)
10-K Filing Date: March 15, 2024
As discussed in this Annual Report on Form 10-K, the changes in our business and operations that will occur in connection with our review of strategic alternatives may impact our cybersecurity program in the future. As such, the following section describes the Company’s cyber risk management and strategy, and governance related to cybersecurity risks, for the fiscal year that ended December 31, 2023. For more information regarding the changes to our business and operations and associated risks, please see (i) Item 1 – Business, (ii) Item 1A – Risk Factors, and (iii) Item 7 – Management’s Discussion and Analysis of Financial Condition and Results of Operations in this Annual Report on Form 10-K.
Cyber Risk Management and Strategy
We rely on information technology systems that we or our third-party providers operate to process, transmit and store electronic information in our day-to-day operations. To help protect against risks from cybersecurity threats to these systems, we have implemented cybersecurity processes in accordance with our risk profile and business that are designed to identify, assess, and manage cybersecurity risks .
We leveraged internal and external resources to support our cyber risk management efforts, including security monitoring tools, periodic penetration tests and vulnerability assessments, and employee cybersecurity awareness training. We have in the past also engaged the services of external information security service providers to help support our information technology environment, assist with security monitoring, and help us draft and implement information security policies.
As part of our cybersecurity risk management process, we take a risk-based approach to the evaluation of third-party vendors based on the criticality and size of the vendor. This process has included a review by our external partners, as appropriate.
We have not identified any cybersecurity incidents or threats that have materially affected us or are reasonably likely to materially affect us, including our business strategy, results of operations or financial condition. As mentioned above, the changes in our business and operations may impact our cybersecurity program in the future. In addition, like other companies in our industry, we and our third-party vendors may, from time to time, experience threats and security incidents relating to our third-party vendors’ information systems and infrastructure. For more information, please see Item 1A - Risk Factors.
Governance Related to Cybersecurity Risks
Our Vice President, Head of Information Technology meets periodically with representatives from our external partners to, as applicable, review aspects of the Company’s cybersecurity processes or evaluate risks from cybersecurity threats. The individual who currently holds the title of Vice President, Head of Information Technology has approximately 20 years of experience in information security and cybersecurity risk management. Our Vice President, Head of Information Technology reports to the Chief Financial Officer.
We have established a process for management, including our Vice President, Head of Information Technology and Chief Financial Officer, to report to the Audit Committee on potential major cybersecurity risks, their potential impact on us, and the steps we take to manage them. The Audit Committee considers identified cybersecurity risks and the steps that the Company’s management has taken to monitor and control such risks in connection with the Audit Committee’s discussion of the Company’s risk assessment and management guidelines, as appropriate. The Audit Committee has periodically reviewed and discussed the Company’s cybersecurity risks, including the Company’s information security and risk management programs, controls and procedures, as well as high-level review of the threat landscape facing the Company and the Company’s strategy to mitigate cybersecurity risks and potential security incidents.
Our board of directors oversees management of our cybersecurity risks through the Audit Committee. As needed, the chairperson of the Audit Committee provides updates on the Company’s cybersecurity risk program to the full board of directors.
98