Eton Pharmaceuticals, Inc. - (ETON)
10-K Filing Date: March 14, 2024
Risk Management and Strategy
Managing cybersecurity risk is critical to supporting our vision, enabling our strategy, and safely operating our business. We recognize the importance of assessing, identifying, and managing material risks associated with cybersecurity threats. Our process for identifying and assessing material risks from cybersecurity threats operates alongside our broader overall risk assessment process which covers all Company risks. As part of this process, appropriate personnel collaborate with third-party subject matter experts to gather insights for identifying and assessing material risks associated with cybersecurity threats, their severity, and potential mitigations. Further, we provide periodic training for all personnel regarding cybersecurity threats, with such training appropriate to the roles, responsibilities and access of the relevant Company personnel. Our policies require all workers to report any real or suspected cybersecurity event.
We have a cybersecurity risk assessment process that involves the activities listed below, among others:
● | Compare our processes to benchmark standards, such as those set by the National Institute of Standards and Technology (“NIST”). | |
● | Closely monitor emerging data protection laws and implement changes to our processes as needed. | |
● | Conduct annual cybersecurity management and incident training for employees involved in our systems that contain sensitive data. | |
● | Run tabletop exercises to simulate a response to a cybersecurity incident and use the findings to improve our processes and technologies as needed. | |
● | Carry cybersecurity risk insurance that provides protection against potential losses arising from a cybersecurity incident. |
As part of the above process, we engage third-party services to provide 24-hour, 365-day monitoring, escalation, and response to cyber events. In addition to consulting on best practices, we leverage a third-party expert security firm for independent evaluations of our security controls through penetration testing. These evaluations test both the design and the operational effectives of security controls.
Our process also addresses material risks from cybersecurity threats associated with our use of third-party service providers, including those in our supply chain, our product development partners, or those who have access to sensitive data or our systems. Third-party risks are included within our broader overall risk assessment process, and cybersecurity considerations are considered during the selection and oversight of our third-party service providers.
Governance
Our board of directors, in coordination with the Audit Committee, oversees our risk management program, including the management of risks associated with cybersecurity threats. Our board of directors and Audit Committee receive periodic updates on developments in our cybersecurity risk management practices, evolving standards, third-party vulnerability assessments, and information security issues. On an annual basis, our board of directors and the Audit Committee discuss our approach to overseeing cybersecurity threats with senior management, including our Chief Executive Officer (“CEO”) and Chief Financial Officer (“CFO”).
Senior management works collaboratively across the organization to implement a program designed to protect our information systems from cybersecurity threats and to respond to any cybersecurity incidents in accordance with our incident response and recovery plans. A cross-functional team addresses cybersecurity threats and responds to cybersecurity incidents through communications within the team and with third-party experts to stay informed about and monitor the prevention, detection, mitigation, and remediation of cybersecurity threats and incidents and report such incidents to the board of directors and the Audit Committee when appropriate.
As of the date of this Form 10-K, we are not aware of cybersecurity incidents that have materially affected or are reasonably likely to materially affect the Company, including our business, strategy, results of operations, or financial condition at this time. For further discussion of the risks associated with cybersecurity incidents, see Part I, Item 1A of this Form 10-K under the risk factor entitled "We rely significantly on information technology and any failure, inadequacy, interruption or security lapse of that technology, including any cybersecurity incidents, could harm our ability to operate our business effectively."