Cullinan Oncology, Inc. - (CGEM)

10-K Filing Date: March 14, 2024
Item 1C. Cybersecurity.

Our board of directors recognizes the critical importance of maintaining the trust and confidence of our vendors, partners, and employees. The Board is actively involved in oversight of the Company’s risk management program, and cybersecurity represents an important component of the Company’s overall approach. The Company’s cybersecurity standards, processes, and practices are based on recognized frameworks established by the National Institute of Standards and Technology, the International Organization for Standardization and other applicable industry standards. In general, the Company seeks to address cybersecurity risks through a comprehensive, cross-functional approach that is focused on preserving the confidentiality, security, and availability of the information that the Company collects and stores by identifying, preventing, and mitigating cybersecurity threats and effectively responding to cybersecurity incidents when they occur.

Risk Management and Strategy

As one of the critical elements of the Company’s overall risk management approach, the Company’s cybersecurity program is focused on the following key areas:

Governance: As discussed in more detail under the heading below titled, “Governance”, the Board’s oversight of cybersecurity risk management is supported by the audit committee’s regular interactions with the Company’s Head of Information Technology, and other members of management or a subcommittee thereof.
Collaborative Approach: The Company has developed a comprehensive, cross-functional approach to identifying, preventing, and mitigating cybersecurity threats and incidents, while also developing tools and processes that provide for the prompt escalation of certain cybersecurity incidents so that decisions regarding the public disclosure and reporting of such incidents can be made by management in a timely manner.
Technical Safeguards: The Company deploys technical safeguards that are designed to protect the Company’s information systems from cybersecurity threats, including firewalls, intrusion prevention and detection systems, antimalware functionality, and access controls, which are evaluated and improved through vulnerability assessments and cybersecurity managed detection and response.
Incident Response and Recovery Planning: The Company has developed a comprehensive incident response and recovery plan that addresses the Company’s response to a cybersecurity incident.
Third-Party Risk Management: The Company has various controls relating to cybersecurity threats originating from third parties, including vendors, service providers and other external users of the Company’s systems, as well as the systems of third parties that could adversely impact our business in the event of a cybersecurity incident affecting those third-party systems.
Education and Awareness: The Company provides regular, mandatory training for personnel regarding cybersecurity threats to equip the Company’s personnel with tools to address cybersecurity threats, and to communicate the Company’s information technology policies, standards, processes, and practices.

The Company engages in the periodic assessment and testing of the Company’s policies, standards, processes and practices that are designed to address cybersecurity threats and incidents. These efforts include a wide range of activities, assessments, vulnerability testing, and other exercises focused on evaluating the effectiveness of our cybersecurity measures and planning. The Company regularly engages third parties to perform assessments on our cybersecurity measures. The results of such assessments are reported to the audit committee, and the Company adjusts its cybersecurity policies, standards, processes and practices as necessary based on the information provided by these assessments.

Governance

The audit committee of the Board oversees the Company’s risk management program, including the management of risks arising from cybersecurity threats. The audit committee receives regular presentations and reports on cybersecurity risks, which address a wide range of topics including recent developments, evolving standards, the threat environment, technological trends, and information security considerations arising with respect to the Company’s peers and third parties. When necessary, the Board receives prompt and timely information regarding any material cybersecurity incident, as well as ongoing updates regarding any such incident until it has been addressed. On a semi-annual basis, the audit committee of the Board discusses the Company’s approach to cybersecurity risk management with the Company’s Head of Information Technology.

101

 

The Company’s Head of Information Technology, in coordination with the Board and audit committee, works collaboratively across the Company to implement and execute a program designed to protect the Company’s information systems from cybersecurity threats and to promptly respond to any cybersecurity incidents in accordance with the Company’s incident response and recovery approach. To facilitate the success of the Company’s cybersecurity risk management program, the Company’s Head of Information Technology and his team monitor the prevention, detection, mitigation, and remediation of cybersecurity threats and incidents in real time and, when necessary, report such threats and incidents to the Board. The Head of Information Technology has served in various roles in information technology and information security for over 20 years, including serving as the Head of Information Technology of another clinical-stage biopharmaceutical company. The Head of Information Technology holds undergraduate and graduate degrees in mathematics and computer information systems, respectively.

Cybersecurity threats, including as a result of any previous cybersecurity incidents, have not materially affected the Company, including its business strategy, results of operations, or financial condition.

Back SEC Filing