Larimar Therapeutics, Inc. - (LRMR)
10-K Filing Date: March 14, 2024
Cyber Risk Management and Strategy
We have implemented and maintain various information security processes designed to manage cybersecurity risks relating to our critical computer networks, third party hosted services, communications systems, hardware and software, and our critical data, including intellectual property, confidential information that is proprietary, strategic or competitive in nature, and data related to our clinical trials and products (Information Systems and Data).
Our Director of Information Technology, assisted by our managed information technology service provider and other third party service providers, lead the Company’s cybersecurity risk management processes. This group works to identify and assess risks from cybersecurity threats by monitoring and evaluating our threat environment and the Company’s risk profile using various methods in certain contexts, including, manual tools, subscribing to reports and services that identify cybersecurity threats, analyzing threat intelligence reports and feeds, conducting scans of certain environments, and other tests.
We implement and maintain various technical, physical, and organizational measures, processes, standards and policies designed to manage risks from cybersecurity threats to our Information Systems and Data, as applicable depending on the environment, including incident detection and response, disaster recovery/business continuity policies, network security controls and data segmentation, access controls, physical security, asset management and tracking, systems monitoring, and employee training.
Our assessment and management of risks from cybersecurity threats are part of the Company’s overall risk management processes. Our Director of Information Technology works with management to prioritize our risk management processes and mitigate cybersecurity threats that are more likely to lead to a material impact to our business.
We use third-party service providers to assist us to identify, assess, and manage risks from cybersecurity threats. These third-party service providers may include threat intelligence service providers, cybersecurity consultants, cybersecurity software providers, managed cybersecurity service providers, and dark web monitoring services.
We also have established a process to conduct diligence on certain third parties before engaging with those third parties, such as those that support our GxP processes, which may include a security assessment.
We have not identified any cybersecurity incidents or threats that have materially affected us or are reasonably likely to materially affect us, including our business strategy, results of operations or financial condition; however, like other companies in our industry, we and our third-party vendors may, from time to time, experience threats and security incidents relating to our and our third-party vendors’ information systems and infrastructure. For more information, please see our risk factors under Part 1 Item 1A. Risk Factors.
Governance
Our board of directors holds oversight responsibility over the Company’s cybersecurity risk management as part of its general oversight function. The audit committee of the board of directors is responsible for overseeing the Company’s cybersecurity risk management processes, including oversight of the Company’s processes for monitoring and controlling cybersecurity risks.
Our cybersecurity risk assessment and management processes are implemented and maintained by certain Company management, including our Director of Information Technology, who has over 10 years of information technology management experience.
The Director of Information Technology, along with management, is responsible for helping to integrate cybersecurity risk considerations into the Company’s overall risk management strategy and communicating key priorities to relevant personnel. Management is responsible for approving budgets, helping prepare for cybersecurity incidents, approving cybersecurity processes, and reviewing security-related reports.
We have processes designed to escalate certain cybersecurity incidents to members of management depending on the circumstances, including our Vice President Legal and Compliance, Vice President Finance and
88
Administration, Chief Financial Officer and Director of Information Technology. In addition, the Company’s incident response policy includes a process for reporting to the audit committee of the board of directors for certain cybersecurity incidents.
The audit committee receives reports from members of the Company’s management concerning the Company’s significant cybersecurity threats and risk and the processes the Company has implemented to address them, as applicable.