vTv Therapeutics Inc. - (VTVT)
10-K Filing Date: March 13, 2024
ITEM 1C. CYBERSECURITY
The Audit Committee of our Board of Directors is responsible for overseeing management’s processes for identifying and mitigating risks that affect our operations, including cybersecurity risks. Procedures for assessing, identifying and managing cybersecurity-related risks are incorporated into our overall risk management framework. Senior leadership regularly briefs the Audit Committee and the full Board of Directors on our cybersecurity and information security posture and the Audit Committee is apprised of cybersecurity incidents deemed to pose a critical risk to our information technology ("IT") assets or business. We have an incident response playbook that outlines the steps to be followed from incident detection to mitigation, recovery and notification, including notifying key functional areas, such as legal and financial reporting, as well as senior leadership and the Audit Committee, as appropriate. We rely upon in-house and cybersecurity vendors to monitor our IT systems and assets and have a governance structure and processes to assess, identify, manage, and report cybersecurity risks.
As a biopharmaceutical company, we must comply with extensive regulations, including requirements imposed by the FDA related to adequately safeguarding patient information. We work with our in-house and cybersecurity vendors on assessing cybersecurity risk and on policies and practices aimed at mitigating these risks. We have engaged third-parties to conduct evaluations of our security controls, including through penetration testing, independent audits, and consulting on best practices to address new challenges. We require that our employees and subcontractors report cybersecurity incidents to us so that we can assess the impact of the incident on our systems and operations.
We currently have one full-time employee who manages our day-to-day information technology systems and the third-party vendors engaged to assist in such management, including monitoring and addressing cybersecurity matters and reports to our Chief Financial Officer. Our cybersecurity vendor, which has a SOC 2 Type II Report and is ISO 27001 certified, utilizes industry-leading processes to monitor in real-time cybersecurity threats and risks to our systems. Our in-house IT resource receives immediate notification of incidents and engages regularly with our cybersecurity vendor through weekly and monthly reports and quarterly meetings to address any issues identified through their processes and communicates such issues in accordance with our incident response plan.
Although we have not, as of the date of this Annual Report on Form 10-K, experienced a cybersecurity incident that materially affected our business, financial condition and results of operations, we can provide no assurance that we will not experience a material cybersecurity incident in the future. While we maintain cybersecurity insurance, the costs related to cybersecurity threats or disruptions may not be fully insured. For additional information regarding the risks we face from cybersecurity threats, please see the risk factor titled “Our business and operations would suffer in the event of computer system failures, cyber-attacks or a deficiency in our cyber-security” included in Part I, Item 1A, Risk Factors of this Annual Report on Form 10-K.