Savara Inc - (SVRA)

10-K Filing Date: March 07, 2024
Item 1C. Cybersecurity.

Cyber Risk Management and Strategy

As part of our enterprise risk management program, we have implemented and maintain policies and processes to identify and mitigate risks posed by cybersecurity threats. Our policies and processes are based upon the National Institute of Standards and Technology (“NIST”) Cybersecurity Framework, and we utilize technologies to help identify and manage potential cyber threats. We have also secured cyber-specific insurance coverage as part of our overall insurance portfolio.

We have engaged an independent, third-party services provider to assist in monitoring our information technology systems, as well as identifying, assessing, and mitigating the associated cyber risk. With that provider, we conduct periodic assessments of our information security program to evaluate the effectiveness of applicable security controls, which include penetration testing, vulnerability scanning, and red teaming. Our Chief Financial and Administrative Officer (“CF&AO”) reviews the results of those assessments with our third-party provider to reasonably address any identified potential gaps. We also utilize a range of tools and services to help ensure material threats are prevented or the risks of such threats are mitigated, which include, network and endpoint monitoring, system patching, user and server backups, annual awareness training, and periodic vulnerability evaluation. Management reviews monthly monitoring reports and meets with our third-party provider on a regular basis to review activities and debrief on any key IT-related issues.

We have an employee education program that includes annual training designed to raise awareness of cybersecurity threats, and we require employees to review and acknowledge our IT Security Policy on an annual basis. Additionally, we have adopted an IT Incident Response Plan that outlines the procedures to be followed in response to a data breach, whether internal or through a third-party, that are designed to help contain, assess, and respond to the incident and mitigate potential harm.

Our systems periodically experience directed attacks intended to lead to interruptions and delays in our operations as well as loss, misuse, or theft of information and other data, confidential information, or intellectual property. However, to date, these incidents have not had a material impact on our operations. Any significant disruption to our service or access to our systems could adversely affect our business and results of operation. Further, a penetration of our systems or a third-party’s systems or other misappropriation or misuse of information could subject us to business, regulatory, litigation, and reputation risk, which could have a negative effect on our business, financial condition and results of operations. See Risk Factors – Risks Related to Information Technology and Data Privacy.

 

 

 

 

47


 

Governance Related to Cybersecurity Risks

The Audit Committee of our Board of Directors is responsible for the general oversight of risks related to data privacy and cybersecurity. The Audit Committee periodically reviews the Company’s cybersecurity program with management, including (i) the adequacy of controls and security for the Company’s information technology systems and (ii) the Company’s response plan in the event of a security breach impacting those systems. Our CF&AO has primary responsibility for overseeing the day-to-day management of cybersecurity risks and has served in that role for three years. Our CF&AO oversees the policies and processes described above and provides the periodic management briefings to the Audit Committee, including any cybersecurity incidents and related responses. Further, at least annually, the Board of Directors receives updates of potential cybersecurity incidents, as well as the data privacy and compliance programs, and its members actively participate in discussions with management regarding cybersecurity risks.