Protara Therapeutics, Inc. - (TARA)
10-K Filing Date: March 13, 2024
We maintain a cyber risk management program designed to identify, assess, manage, mitigate and respond to cybersecurity threats. This program, in conjunction with our enterprise risk management assessment processes, addresses cybersecurity risks to the corporate information technology, or IT, environment including systems, hardware, software, data, people and processes.
The underlying processes and controls of our cyber risk management program incorporate recognized best practices and standards for cybersecurity and IT, including the National Institute of Standards and Technology, or NIST, Cybersecurity Framework, or CSF, and processes and controls supporting data protection requirements under applicable law. We have an annual assessment performed by a third-party specialist of the Company’s cyber risk management program against the NIST CSF. The annual risk assessment identifies, quantifies and categorizes material cyber risks. In addition, we, in conjunction with the third-party cyber risk management specialists developed a risk mitigation plan to address such cyber risks, and, where necessary, remediate potential vulnerabilities identified through the annual assessment process.
In addition, we maintain policies over areas such as protecting and handling confidential information, processing of personal data, access on/off boarding, user management, acceptable use, and IT change control management to help govern the processes put in place by management designed to protect our IT assets, data and services from threats and vulnerabilities. We employ additional key practices within the cyber risk management program including, but not limited to maintenance of an IT assets inventory, periodic vulnerability scanning, identity access management controls including restricted access to privileged accounts, and physical security measures at our facilities. We also utilize information protection/detection systems, or IPS/IDS, including maintenance of firewalls and anti-malware tools, network and data traffic monitoring with automated alerting, ongoing cybersecurity user awareness training, industry-standard encryption protocols, formalized change management processes and critical data backups to reduce cybersecurity risk.
Cybersecurity partners, including assessors, consultants, advisors and other third-party service providers, are a key part of our cybersecurity risk management strategy and infrastructure. We partner with industry recognized cybersecurity providers leveraging third-party technology and expertise and engage with these partners to monitor and maintain the performance and effectiveness of IT assets, data and services. The cybersecurity partners provide services including, but not limited to systems inventory monitoring, configuration management, vulnerability scanning, user management, mobile device monitoring, capacity monitoring, network protection and monitoring, IPS/IDS management, remote access monitoring and management, user activity monitoring, data backups management, infrastructure maintenance, incident response, cybersecurity strategy, and cyber risk advisory, assessment and remediation.
Our finance leadership team, led by our chief financial officer, in conjunction with third-party IT and cybersecurity service providers is responsible for oversight and administration of our cyber risk management program, and for informing senior management and other relevant stakeholders regarding the prevention, detection, mitigation and remediation of cybersecurity incidents. Our finance leadership team has experience selecting, deploying and overseeing cybersecurity technologies, initiatives, and processes directly or via selection of strategic third-party partners. We also rely on threat intelligence and other information obtained from governmental, public, or private sources, including external consultants engaged by us for strategic cyber risk management, advisory and decision making.
60
We have implemented third-party risk management processes to manage the risks associated with reliance on vendors, critical service providers, and other third parties that may lead to a service disruption or an adverse cybersecurity incident. This includes processes for performing third-party risk ratings and data classification mapping of current and ongoing vendors.
The Audit Committee of the Board of Directors oversees our cybersecurity risk exposures and the steps taken by management to monitor and mitigate cybersecurity risks. The cybersecurity stakeholders, including member(s) of management assigned with cybersecurity oversight responsibility and/or third-party consultants providing cyber risk advisory services brief the Audit Committee on cyber vulnerabilities identified through the risk management process, the effectiveness of our cyber risk management program, the emerging threat landscape, and new cyber risks on at least an annual basis. This includes updates on our processes to prevent, detect and mitigate cybersecurity incidents. In addition, the Audit Committee is responsible for reporting information about such risks to the Board of Directors and material cybersecurity risks and/or events are reviewed by the Board of Directors, at least annually, as part of the our corporate risk oversight processes.
We face risks from cybersecurity threats that could have a material adverse effect on our business, financial condition, results of operations, cash flows or reputation. We acknowledge that the risk of cyber incidents is prevalent in the current threat landscape and that a future cyber incident may occur in the normal course of its business. However, prior cybersecurity incidents have not had and are not reasonably likely to have a material adverse effect on our business, financial condition, results of operations, or cash flows. We proactively seek to detect and investigate unauthorized attempts and attacks against our IT assets, data and services, and to prevent their occurrence and recurrence where practicable through changes or updates to internal processes and tools and changes or updates to our service delivery; however, potential vulnerabilities to known or unknown threats will still remain. Further, there is increasing regulation regarding responses to cybersecurity incidents, including reporting to regulators, investors and additional stakeholders, which could subject us to additional liability and reputational harm. In response to such risks, we have implemented initiatives such as implementation of the cybersecurity risk assessment process and development of an incident response plan. See Item 1A. “Risk Factors” for more information on Company cybersecurity risks.