EyePoint Pharmaceuticals, Inc. - (EYPT)
10-K Filing Date: March 08, 2024
We are increasingly dependent on sophisticated software applications and computing infrastructure to conduct key operations. We depend on both our own systems, networks, and technology as well as the systems, networks and technology of our contractors, consultants, vendors, and other business partners.
Cybersecurity Program
Given the importance of cybersecurity to our business, we maintain a robust cybersecurity program to support both the effectiveness of our systems and our preparedness for information security risks. This program includes a number of administrative, physical, and technical safeguards with regular evaluations of our cybersecurity program, including periodic internal and external audits, penetration tests, and incident response simulations. We also require cybersecurity training when onboarding new employees and contractors, as well as required cybersecurity awareness training for our employees and contractors/other workforce members. Our program leverages industry frameworks, including the National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF) to strengthen our program effectiveness and reduce cybersecurity risks.
We use a risk-based approach with respect to our use and oversight of third-party service providers. We use a number of means to assess cyber risks related to our third-party service providers, including maintaining vendor questionnaires/conducting due diligence in connection with onboarding new vendors and engaging in periodic reviews thereafter as appropriate.
Process for Assessing, Identifying and Managing Material Risks from Cybersecurity Threats
In the event of a cybersecurity incident, we maintain a regularly tested incident response program. Pursuant to the program and its escalation protocols, designated personnel are responsible for assessing the severity of an incident and associated threat, and handling it in accordance with that severity level. We have relationships with a number of third-party service providers to assist with cybersecurity containment and remediation efforts.
61
Governance
Upon a notification of concerning factors which may be indicative that a notable cybersecurity incident has occurred, the Cyber Security Subcommittee (Cyber Security Subcommittee) consisting of the Chief Legal Officer, Chief People Officer & SVP of IT, Associate General Counsel, Head of Information Technology, and a member of the Financial Reporting team, meets to make an initial assessment. If the Cyber Security Subcommittee determines there is a reasonable likelihood a notable cybersecurity incident has occurred, then notice will promptly be given to certain members of the Company Executive Team including our President/Chief Executive Officer, Chief Financial Officer, Chief Legal Officer & Corporate Secretary, and Chief People Officer/SVP of IT.
Our team leverages over 25 years of experience in various cyber security functions. Our SVP of IT, and her team, is responsible for the day-to-day management of the cybersecurity program.
The SVP of IT provides periodic briefings for our senior management team on cybersecurity matters, including the prevention, detection, mitigation, and remediation of cybersecurity incidents and cybersecurity threats.
Board Oversight
While the Board of Directors has overall responsibility for risk oversight, our Audit Committee oversees cybersecurity risk matters. The Audit Committee is responsible for reviewing, discussing with management, and overseeing the Company’s cybersecurity and privacy risk exposures and policies. On a quarterly basis, the SVP of IT reports to the Audit Committee on information technology and cybersecurity matters, including key information technology risks. The SVP of IT also apprises the Audit Committee and full Board of Cyber Security Incidents consistent with our incident response program, promptly.
Cybersecurity Risks
Our cybersecurity risk management processes are integrated into our overall Enterprise Risk Management (“ERM”) process. As part of our ERM process, department leaders identify, assess, and evaluate risks impacting our operations across the Company, including those risks related to cybersecurity. Department leaders are asked to consider the severity and likelihood of certain risk factors, drawing upon their company knowledge and past business experience. While we maintain a robust cybersecurity program, the techniques used to infiltrate information technology systems continue to evolve. Accordingly, we may not be able to timely detect threats or anticipate and implement adequate security measures. For additional information, see “Item 1A—Risk Factors.” To date, we have not experienced any material cybersecurity incidents or threats.