Galecto, Inc. - (GLTO)
10-K Filing Date: March 08, 2024
Governance Related to Cybersecurity Risks
Our board of directors is involved in risk oversight through its attention to our overall business strategy, and it has delegated oversight of risk assessment and management to the audit committee. The audit committee administers its risk oversight function by receiving periodic reports from members of senior management. Our audit committee discusses cybersecurity threats and our risk management processes at least annually, receives updates on relevant developments, and considers steps that our management has taken to monitor and seek to address risk exposures. The full board of directors also discusses with management our major risk exposures, their potential impact on us, and the steps we take to manage them.
Our Information Technology Administrator, working with and through external vendors, including our outsourced Data Protection Officer, implements and administers our information security processes. Our Information Technology Administrator, in conjunction with the Data Protection Officer, provides regular reports to our Chief Financial Officer and General Counsel on cybersecurity risks and the implementation of risk management processes.
Cybersecurity Risk Management and Strategy
Our processes to identify, assess, and manage risks presented by cybersecurity threats are informed by industry cybersecurity standards, including components of the National Institute of Standards and Technology Cybersecurity Framework, ISO 27001 standard, and Health Insurance Portability and Accountability Act (“HIPAA”) security regulations. Our cybersecurity management processes have included an assessment to identify key risk areas and to inform our overall strategy, as well as cybersecurity assessments in connection with our review of key financial systems. Our processes also include technical controls, such as network monitoring tools and multi-factor authentication, where appropriate, and we engage reputable vendors to host sensitive company information. Before contracting with such vendors or purchasing third party technology or other solutions that involve exposure to sensitive company information, we conduct due diligence on the vendor, which includes a security review, and we receive and review security updates and alerts from these vendors. We have also implemented annual training for employees as well as phishing and other attack simulations as part of our cybersecurity readiness processes.
We have established an incident response process to identify, assess, and respond to cybersecurity events, if any. This process includes established roles, responsibilities and procedures to guide incident response operations, and reporting procedures for notifying members of management and the audit committee, where appropriate. We also maintain back-ups and disaster recovery plans to restore information in the event of an incident. We have not identified any cybersecurity incidents or threats that have materially affected us or are reasonably likely to materially affect us, including our business strategy, results of operations, or financial condition. However, like other companies in our industry, we and our third-party vendors have from time to time experienced threats and security incidents that could affect our information or systems.For more information, please see “Item 1A, Risk Factors.”