LUMOS PHARMA, INC. - (LUMO)

10-K Filing Date: March 07, 2024
Item 1C. CYBERSECURITY
Risk management and strategy
We have implemented and actively maintain various information security processes designed to identify, assess and manage material risks from cybersecurity threats to our critical computer networks, third party hosted services, communications systems, hardware and software, and our critical data, including confidential information that is proprietary, and strategic or competitive in nature (“Information Systems and Data”).
Depending on the environment, we implement and maintain various technical, physical, and organizational measures, processes, standards and policies designed to manage and mitigate material risks from cybersecurity threats to our Information Systems and Data, including, for example: penetration and vulnerability testing, simulations, and other exercises designed to evaluate the effectiveness of our information security processes and improve our security measures.
Our assessment and management of material risks from cybersecurity threats are integrated into our overall risk management processes. For example, our information technology department works with management to prioritize our risk management processes and mitigate cybersecurity threats that are more likely to lead to a material impact to our business.
We engage third party auditors to conduct periodic reviews of our security controls protecting our Information Systems and Data, as well as third party penetration testing of our network infrastructure and related systems. The results of these reviews are reported to the audit committee of our Board of Directors.
We use third party service providers to perform information systems and security services, such as developing a vendor management program to manage cybersecurity risks associated with our use of certain vendors. The program includes a review of the security controls and processes used by our vendors. Depending on the nature of the services provided, the sensitivity of the Information Systems and Data at issue, and the identity of the service provider, our vendor management process may involve different levels of assessment designed to help identify cybersecurity risks associated with a vendor and impose contractual obligations related to data security on the vendor.
For a description of the risks from cybersecurity threats that may materially affect us and how they may do so, see our risk factors under Part I, "Item 1A. Risk Factors" in this Annual Report on Form 10-K, including “Our business and operations would suffer in the event of system failures, security breaches or cyber-attacks.”
Governance
Our Board of Directors addresses our cybersecurity risk management as part of its general oversight function. The nominating and corporate governance committee of our Board of Directors is responsible for overseeing our cybersecurity risk management processes, including oversight and mitigation of risks from cybersecurity threats.
Our cybersecurity risk assessment and management processes are implemented and maintained by certain members of our management team, including our director, information technology and our IT security specialist, with input from outside parties specializing in cybersecurity risk. Our director, information technology is responsible for communicating key priorities to relevant personnel and helping to integrate cybersecurity risk considerations into our overall risk management strategy. Our IT security specialist is responsible for reviewing cybersecurity processes and security assessments, preparing security-related reports, and helping prepare for cybersecurity incidents. Our senior IT personnel have expertise in general IT matters and are pursuing certifications in cybersecurity. We utilize third parties for specialized IT matters, including cybersecurity, to augment the expertise of our internal IT personnel.
Our cybersecurity incident response plan is designed to actively monitor and escalate certain cybersecurity incidents to members of management depending on the circumstances, including our chief financial officer and general counsel. Management works with our incident response team to help us mitigate and remediate cybersecurity incidents of which they are notified. In addition, our incident response plan includes reporting to the audit committee of the Board of Directors for certain cybersecurity incidents.
The nominating and corporate governance committee receives periodic reports from our chief financial officer concerning our significant cybersecurity threats and risk and the processes we have implemented to address them. The nominating and corporate governance committee also receives various reports, summaries or presentations related to cybersecurity threats, risks and mitigation.
66

Table of Contents