Aadi Bioscience, Inc. - (AADI)
10-K Filing Date: March 13, 2024
Item 1C. Cybersecurity.
Risk Management and Strategy
We have established policies and processes for assessing, identifying, and managing material risk from cybersecurity threats, and have integrated these processes into our overall risk management systems and processes. We routinely assess material risks from cybersecurity threats, including any potential unauthorized occurrence on or conducted through our information systems that may result in adverse effects on the confidentiality, integrity, or availability of our information systems or any information residing therein.
We adhere to industry-leading frameworks to safeguard our systems and data. The primary framework we follow is the HITRUST CSF (Common Security Framework). The HITRUST CSF provides a comprehensive, scalable, and technology-neutral approach to regulatory compliance and risk management. It encompasses information security risk management controls, including risk assessment, mitigation, and evaluation. Our processes for assessing, identifying, and managing material cybersecurity risks align with the HITRUST CSF guidelines.
We conduct monthly risk assessments to identify cybersecurity threats, as well as assessments in the event of a material change in our business practices that may affect information systems that are vulnerable to such cybersecurity threats. These risk assessments include identification of reasonably foreseeable internal and external risks, the likelihood and potential damage that could result from such risks, and the sufficiency of existing policies, procedures, systems, and safeguards in place to manage such risks.
Following these risk assessments, we evaluate whether and how to re-design, implement, and maintain reasonable safeguards to minimize identified risks; reasonably address any identified gaps in existing safeguards; and regularly monitor the effectiveness of our safeguards. We devote significant resources and designate high-level personnel, including our Chief Financial Officer, who reports to our Chief Executive Officer, to manage the risk assessment and mitigation process.
As part of our overall risk management system, we monitor and test our safeguards and train our employees on these safeguards, in collaboration with our human resources and information technology departments. Personnel at all levels and departments are made aware of our cybersecurity policies through trainings.
We engage assessors, consultants, and auditors in connection with our risk assessment processes. These service providers assist us in designing and implementing our cybersecurity policies and procedures, as well as to monitor and test our safeguards. We require each third-party service provider to certify that it has the ability to implement and maintain appropriate security measures, consistent with all applicable laws, to implement and maintain reasonable security measures in connection with their work with us, and to promptly report any suspected breach of its security measures that may affect our company.
Although we have designed our cybersecurity program and governance procedures above to mitigate cybersecurity risks, we face unknown cybersecurity risks, threats and attacks. To date, these risks, threats or attacks have not had a material impact on our operations, business strategy or financial results, but we cannot provide assurance that they will not have a material impact in the future. See the section entitled "Risk Factors" included elsewhere in this Annual Report for further information. For further information, please refer to Item 1A, “Risk Factors,” in this Annual Report on Form 10-K, including the risk factors entitled “Risks Related to Employee Matters, Managing Our Growth and Other Risks Related to our Business: Our internal computer systems, or those of any of our CROs, manufacturers, other contractors or consultants or potential future collaborators, may fail or suffer security or data privacy breaches or other unauthorized or
100
improper access to, or use or other processing of, or destruction of our proprietary or confidential data, employee data, or personal data, which could result in additional costs, loss of revenue, significant liabilities, harm to our brand and material disruption of our operations.”
Governance
One of the key functions of our board of directors is informed oversight of our risk management process, including risks from cybersecurity threats. Our board of directors is responsible for monitoring and assessing strategic risk exposure, and our executive officers, including our Chief Financial Officer and General Counsel, are responsible for the day-to-day management of the material risks we face. Our board of directors administers its cybersecurity risk oversight function directly as a whole, as well as through its audit committee.
Our Chief Financial Officer and Senior Director of Information Technology are primarily responsible for assessing and managing our material risks from cybersecurity threats with assistance from third-party service providers. Our Senior Director of Information Technology leads our internal team and has over 20 years of cybersecurity experience, including the last 10 years in leadership positions, enabling him to build and transform successful cybersecurity programs and initiatives across several enterprises. His active associations include Veteran Volunteer Instructor for US Cyber Army Command (ARCYBER), Information Systems Security Association (ISSA), and Forum of Incident Response and Security Teams (FIRST), and has held many technical certifications including Strategic Planning, Policy, and Leadership (GSTRT), Certified Information Systems Security Professional (CISSP) and Certified Cloud Security Professional (CCSP). Our third-party vendors include assessors, consultants, and auditors holding (but not limited to) the following relevant certifications: Certified Information Systems Security Architecture Professional (CISSP-ISSAP), Certified in the Governance of Enterprise IT (CGEIT), Certified Data Privacy Solutions Engineer (CDPSE), and Certified Ethical Hacker (C|EH).
Our Chief Financial Officer and Senior Director, Information Technology oversee our cybersecurity policies and processes, including those described in “Risk Management and Strategy” above. The processes by which our Chief Financial Officer and Senior Director, Information Technology are informed about and monitor the prevention, detection, mitigation, and remediation of cybersecurity incidents includes company incident management and data protection policies, and applicable cybersecurity incident response playbooks.
Our Chief Financial Officer and Senior Director, Information Technology provide periodic briefings to the audit committee regarding our cybersecurity risks and activities, including any recent cybersecurity incidents and related responses, cybersecurity systems testing, activities of third parties, and the like. Our audit committee provides regular updates to the board of directors on such reports.