Clene Inc. - (CLNN)
10-K Filing Date: March 13, 2024
Overview
Information, unlike other assets such as cash, facilities, equipment, and products, is highly volatile in terms of its value and many people can use it simultaneously. It leaves no obvious indicators when it is stolen, and it is in constant motion across our internet, intranet, extranet, and computer systems. It is often stored in many locations in different formats at the same time. These characteristics make it much more difficult to manage, control, and protect than other types of assets and therefore a risk management process is required. Our cybersecurity policies and procedures have been developed to ensure an adequate and consistent approach to the management, control, and protection of our information (“Information Assets”). Our Information Assets include business information, customer information and external business partner information, including, without limitation, classified information, information relating to research, intellectual property, personally identifiable information, business and product development, clinical test and evaluation data, and business plans, customer and supplier information, supply chain, manufacturing, distribution, finance, human resources, consulting, partnerships, contracts, and corporate transactions, maintained in any form or format or location, including audio, video, paper, magnetic, electronic and optical. Information Assets may be classified as Low, Medium, or High Risk based on the potential impact of its unauthorized disclosure.
Device and Network Security
Our device and network security policies and procedures are designed to mitigate risk by ensuring our network and computing devices (“Computer Equipment”), electronic systems, and resources used in our business (“Information Systems”), whether owned or leased by us, our employees, or third parties, and the Information Assets contained therein, are protected from security threats.
To mitigate risk, we utilize (i) firewalls to protect our network perimeter and additional perimeters within the network as required, (ii) anti-malware software to protect all Computer Equipment, including but not limited to desktops, laptops, workstations, and servers, (iii) device scanning, alerts, and reporting, (iv) physical security, (v) security and application lifecycle security, (vi) security updates and backups, and (vii) vulnerability and risk assessments.
Firewalls. Our network and Computer Equipment is protected by one or more authorized firewalls, with any changes to firewall hardware, operating system, or rules requiring approval from authorized personnel including the review and approval of an IT change control document. Administration of firewalls is restricted to a minimum number of authorized personnel as necessary. We also employ intrusion detection at critical points of our network. All external access to our network, or to any computing resource on our network connected to a non-Clene network (including, but not limited to the internet) must pass through a hardware firewall, appliance, or equivalent device, where all traffic between our network and external networks can be continuously controlled, monitored, and examined for any access violations.
Anti-Malware Software. Our Computer Equipment is protected by anti-malware software. The management and administration of anti-malware software is restricted to a minimum number of authorized personnel as necessary.
Real-Time Monitoring. We engage a third-party security operations center that actively monitors our environment and detects and remediates security threats in real-time.
Device Scanning, Alerts, and Reporting. We reserve the right to monitor, scan, screen, and quarantine/confiscate all Computer Equipment that accesses our network, in compliance with applicable laws and government regulations. We also reserve the right to scan information systems, monitor or screen content and traffic patterns, block e-mail, quarantine and/or confiscate any Information Systems that may post a threat to us, and if such activities reveal possible evidence of criminal activity, to take any appropriate action which may include providing evidence to law enforcement officials.
Physical Security. We control physical access to our facilities, areas within our facilities, data centers, server rooms, and equipment. Manufacturing and research and development is conducted out of our Maryland facility that employs badging, visitor registries, escorts for visitors, exit/removal procedures, and physical locks/access controls as appropriate and necessary. Our corporate office in Utah is equipped with physical security including locks/access controls to the facility and to secure all IT-related equipment and personnel files. Installation, maintenance, and repair of equipment is restricted to authorized personnel. We protect our Computer Equipment from power failure, surges, and other electrical anomalies, and cabling is protected from unauthorized access or damage. Access to our network services is restricted to authorized individuals and granted only following individual identification and authentication. Local wireless access is limited to authorized entry points, with various forms of authentication required before access is granted to authorized individuals.
Security and Application Lifecycle Security. We perform analysis of security requirements for all systems and applications throughout their lifecycle, including for new systems and applications and significant upgrades to existing systems and applications. All new or upgraded systems and applications are tested for stability, compatibility, and security integrity in a separate environment prior to introduction into our production environment.
Security Updates and Backups. We monitor security bulletins, software updates/patches, and functional software updates/patches and apply them in accordance with the timeline prescribed in our policies and based upon recommendations from third-party vendors, as applicable. Systems that no longer provide security updates/patches are discontinued. We research, test, and verify functional software updates/patches before installation. We perform data backups periodically based on business requirements to maximize data availability and prevent information loss, including before any system upgrade or maintenance. Encrypted data remains encrypted throughout our backup processes. We review backup schedules at least annually, and changes may only be made by authorized personnel after formal documentation and approval. Data backups are stored in geographically separate facilities.
Vulnerability Assessments. We conduct assessments over potential vulnerabilities for all new and existing network-connected assets on an annual basis. Any potential vulnerabilities that we identify are remediated. We rate vulnerabilities based on the following criteria: (i) High: A vulnerability exists that could potentially allow an attacker to gain elevated access of the host, divulge system information, and/or lead to system or network compromise; (ii) Medium: A vulnerability exists that could potentially allow an attacker limited access to file contents, security settings or ability to conduct a denial-of-service attack; (iii) Low: A vulnerability exists that could potentially allow an attacker limited access to sensitive host system data, such as installed software version giving the ability to exploit application vulnerabilities; and (iv) Info: An attacker could collect basic host information such as open ports and services.
Security Incident Reporting
Our security incident reporting policy and procedures enable the identification, monitoring, reporting, and response capabilities to known or suspected security incidents in our network and all IT-managed services and Information Systems. Security identification begins with a broad range of potential risks, including, but not limited to, theft or unauthorized disclosure of Information Assets, unexpected modification of Company Information Assets, disruptions of service that can result in Information Assets being unavailable for an unacceptable amount of time, and suspicious behavior and/or unauthorized activity by any individual or organization that can potentially compromise Information Assets or Information Systems.
Our process to monitor, report, and respond to identified or suspected security incidents includes (i) collection of relevant information about an incident, including (a) impacted systems, (b) impacted entities, (c) protection mechanisms that were in place and active at the time of the security incident, (d) audit logs, and (e) the risk classification of the Information Assets that were potentially impacted; (ii) reporting to a centralized ticketing system; (iii) reporting to management and other authorities, such as legal, human resources, IT, and local and/or state law enforcement, etc.; (iv) escalation, if the incident is considered to be critical based upon our assessment of its potential impact, to appropriate management and directors and other authorities; and (v) documentation of the incident and our response actions taken.
Change and Configuration Management
Our change and configuration management policy and procedures enable the effective management of changes to Information Systems (“Changes”) to ensure the confidentiality and integrity of Information Assets and the continued availability of both the Information Systems and information technology (“IT”) services. The policies and procedures apply to all changes to Information Systems managed by the Company or its IT external business partners.
Changes must be approved by authorized personnel prior to (i) performance of any work related to a Change, (ii) migration of any Change-related work from the quality environment to the production environment, to ensure the Change was adequately tested and performs properly, and (iii) closing of the Change, to ensure the Change was implemented in the production environment and correctly solves the issue that prompted the Change request.
Changes are tracked and documented in a change tracking system, and we retain past versions of source components and supporting documentation. Testing is performed in an environment other than the production environment, and user acceptance testing is performed by an independent person not responsible for development, modification, or configuration of applications, programs, or system code. Errors are identified, logged, and resolved.
Additionally, for Changes that may impact our manufacturing process, we perform impact assessments prior to performing a Change to understand the (i) level of financial, technical, and compliance risk, (ii) impact on business operations, (iii) impact of configuration and user access security, (iv) impact on connected Information Systems and interfaces, and (v) need for user training. The extent and documentation of impact assessments are commensurate with the level of risk associated with the Change, and the level of testing performed shall be determined by the results of the impact assessment.
Identity and Access Management
Our identity and access management policies and procedures define the access control measures to our Information Systems to protect the privacy, security, and confidentiality of Computer Equipment, Information Systems, and Information Assets.
Unique identification is assigned to all individuals with a defined relationship (e.g., employees, vendors, suppliers, etc.), and if a relationship changes, a new identifier is created to reflect the new relationship. Passwords must be changed upon first logon and all privileged account passwords (e.g., root, super user, and administrator passwords) must follow our password guidelines. Identification and authentication are required every time Medium or High Risk Information Assets are accessed or elevated privileges are exercised, and use of elevated privileges is temporary and is revoked upon implementation of a change.
Our data access procedures require completion and authorization of access request forms to request, change, or delete access privileges to Information Systems containing Medium or High Risk Information Assets. We perform checks for segregation of duties conflicts and only grant the minimum necessary and least privilege access to users based upon their role. When users are reassigned, promoted, or separated, their access privileges are reviewed and, if necessary, updated in a timely manner. We also perform periodic reviews of user privileges and require training for users with access to Medium or High Risk Information Assets.
Information Asset Protection
Our Information Asset protection policy and procedures enables the management, control, and protection of Information Assets from unauthorized disclosure, theft, loss, destruction, unauthorized alteration, unauthorized access, and the denial of availability, all of which could have a direct and significant impact on the future success of the Company. Protection of Information Asset supports the efficient and effective management, control, and protection of our business information and the business information entrusted to us by our customers and external business partners. All Information Asset protection policies and procedures must also be viewed in the context of our obligations to comply with government requirements, such as those related to the protection of personal data, and compliance with our contractual obligations.
We use the following approach to manage risks related to Information Asset protection: (i) identification and classification of Information Assets, (ii) identification and assessment of the threats to those Information Assets and the associated risk based upon impact to the business and the likelihood of their occurrence, (iii) assessment and analysis of risk, and determination of the actions required to lower risks to an acceptable level, (iv) implementation of appropriate controls or management acknowledgment or risk where controls cannot be implemented, (v) continuous monitoring and measuring of risk, (vi) ongoing communication of risks and mitigating actions, and (vii) auditing for compliance.
Once a risk is identified, we analyze the risk and assign a risk classification based upon a combination of factors, including data volume, legal and regulatory requirements, privacy considerations, and intellectual property considerations. Risks are classified as (i) Low Risk, where unauthorized disclosure could be expected to have a limited adverse effect on operations, assets, or individuals; (2) Medium Risk, where unauthorized disclosure could be expected to have a serious adverse effect on operations, assets, or individuals; or (3) High Risk, where unauthorized disclosure could be expected to have a severe or catastrophic adverse effect on operations, assets, or individuals.
Prior to the close of 2024, we intend to implement automated system restrictions over Information Assets that will permit general use of Low Risk Information Assets both internally and by our external business partners, and will restrict access to Medium and High Risk Information Assets to limited audiences with legitimate business purposes or specific job responsibilities. Additionally, we currently use confidentiality agreements before granting access as determined by relationship of the user and the associated risks of the Information Asset, and we periodically review access rights to ensure compliance and prevent unauthorized access.
Governance
Assessing, identifying, and managing cybersecurity related risks are integrated into our overall risk management program. Our Chief Executive Officer, General Counsel, and Vice President of Quality and Technical Operations directly oversee the development, implementation, operation, and revision of our cybersecurity policies and procedures, and are primarily responsible for the oversight of risks from cybersecurity threats and any security incidents that may occur. These officers have more than 21 years of combined experience in managing IT, operations, and information risk and security. Our Vice President of Quality and Technical Operations has experience developing comprehensive information security programs for organizations, and brings extensive experience in the private sector and is a specialist in IT governance strategies, risk management protocols, and compliance frameworks. All security incidents are managed by our Vice President of Quality and Technical Operations and reported to management, including our Chief Executive Officer, General Counsel, and other personnel based upon the specifics of the incident and its impact. Additionally, if a known or suspected security incident occurs at the Company, based upon its risk classification and if we assess the impact to be critical, the incident is escalated in a timely manner to the Audit Committee of the Board of Directors for oversight of the monitoring, reporting, and response process. The Audit Committee also oversees the implementation of our policies and procedures to prevent or reduce cybersecurity risks on an ongoing basis during the performance of its general committee duties.
We face a number of cybersecurity risks in connection with our business and have from time-to-time experienced cybersecurity incidents, which to date have not had a material impact on our financial condition or results of operations. For more information about the cybersecurity risks we face, see Item 1A—Risk Factors “Our internal computer systems, or those used by any CROs or other third-party contractors or consultants we may engage, may fail or suffer security breaches.”