AVROBIO, Inc. - (AVRO)
10-K Filing Date: March 14, 2024
We, under the oversight of our Audit Committee, have implemented and maintain an enterprise risk management program that encompasses cybersecurity risk management and is designed to identify, assess and mitigate critical risks from cybersecurity threats. Our cybersecurity risk management program is informed by, and incorporates elements of, recognized industry standards and frameworks, including elements of the National Institute of Standards and Technology Cybersecurity Framework. Our program includes controls and procedures designed to identify, classify and escalate certain cybersecurity incidents to provide management visibility and obtain direction from management as to the public disclosure and reporting of material incidents, if any, in a timely manner.
As part of our cybersecurity risk management program, we implement technical safeguards that are designed to protect our information systems from cybersecurity threats, including firewalls, intrusion prevention and detection systems, anti-malware functionality and access controls. Additionally, we have established and maintain processes related to incident response and have been developing processes related to business continuity and disaster recovery designed to address our response to a cybersecurity incident. We leverage third parties and cybersecurity consultants as appropriate, including a virtual Chief Information Security Officer, or vCISO, to develop strategies to assess, address and align cybersecurity efforts with our business objectives and operational requirements. Further, we have a risk-based process to assess the cybersecurity practices of certain third parties prior to onboarding, including vendors, service providers and other external users of our systems.
We have not identified any cybersecurity incidents or threats that have materially affected us or are reasonably likely to materially affect us, including our business strategy, results of operations or financial condition; however, like other companies in our industry, we and our third-party vendors may, from time to time, experience threats and security incidents relating to our and our third-party vendors’ information systems. See Item 1A “Risk Factors” in this Annual Report on Form 10-K for more information.
Governance
Our information technology representative, in consultation with our vCISO, is responsible for the day-to-day administration of our cybersecurity policies, processes and practices. The information technology representative and our vCISO meet regularly to review any outstanding cybersecurity risks and to discuss any recommended hardening or remediation measures. The information technology representative reports and provides periodic updates regarding the cybersecurity risk management program to our Chief Financial Officer. The individual currently operating as our information technology representative has 19 years of experience in information technology and information security, including at another public company.
The AVROBIO Board has delegated oversight of the Company’s cybersecurity risk management program to our Audit Committee, which generally oversees our enterprise risk management program. Our Audit Committee receives periodic updates on the cybersecurity risk management program, including our risk management practices, from our information technology representative. Our Audit Committee reports on cybersecurity risks and risk management to the full AVROBIO Board as appropriate.