TScan Therapeutics, Inc. - (TCRX)
10-K Filing Date: March 06, 2024
Risk Management and Strategy
We recognize the importance of safeguarding the security of our computer systems, software, networks, and other technology assets. We have implemented processes for identifying, assessing, and mitigating cybersecurity risks and we have implemented a cybersecurity risk management program that is informed by recognized industry standards and frameworks and incorporates elements of the same, including elements of the National Institute of Standards and Technology (NIST) Cybersecurity Framework.
Our cybersecurity risk management program incorporates a number of components, including, but not limited to, information security policies and operating procedures, periodic information security risk assessments and other vulnerability analyses, and ongoing monitoring of critical risks from cybersecurity threats using automated tools. Additionally, we have implemented a process to conduct cybersecurity awareness training for employees during onboarding and thereafter.
We maintain a Cybersecurity Incident Response Plan, or CIRP, which is designed to guide our response to cyber incidents, including to mitigate and contain any potential cybersecurity incidents that could affect our systems, network, or data. The CIRP identifies the individuals responsible for developing, maintaining, and following procedures related to cybersecurity incident response, including escalation protocols. We also engage external third-party consultants to provide services, such as penetration testing, which is conducted on an annual basis, and periodic vulnerability assessments. These consultants also perform annual assessments of our cybersecurity program, which involve, among other things, review of our IT security measures and processes for alignment with the NIST Cybersecurity Framework and provision of threat intelligence regarding emerging risks to our information systems.
As part of our cybersecurity risk management program, we maintain processes around third-party vendor risk management, including a framework for managing third-party information security risks. This framework, which applies to select third parties who have access to our systems and/or process our information, includes processes for assessing and reviewing the cybersecurity practices of such third-parties, including a review of available security audit reporting and certifications and inclusion of security requirements in contracts, as appropriate.
We have not been materially affected by cybersecurity threats. We may, from time to time, experience threats to and security incidents related to our data systems but we do not believe they are reasonably likely to materially affect our business strategy, results of operations or financial condition. For more information, please see the risk factors entitled “Our internal computer systems, or those used by our third-party CROs or other contractors or consultants, may fail or suffer security breaches or other unauthorized or improper access, which could result in a material disruption of the development programs of our product candidates” and “Security incidents, loss of data or modification of information, and other disruptions could compromise information related to our business or prevent us from accessing critical information, result in a significant disruption of our activities and expose us to liability, which could adversely affect our business and our reputation” in Item 1A- Risk Factors in this Annual Report.
Governance
Our Head of Information Technology and Security, or Head of IT, has primary responsibility for day-to-day management of our cybersecurity risk management program, including leading a dedicated team of information technology professionals to monitor cybersecurity risks on behalf of TScan. Our Head of IT has over 15 years’ experience with information technology and cybersecurity risk management programs.
This team is responsible for assessing potential vulnerabilities and exposures to cybersecurity threats, implementing controls and measures designed to mitigate these risks, and regularly monitoring and updating these policies, to adapt to evolving threats. If an incident arises, the Head of IT notifies our Chief Legal and Compliance Officer, and Chief Financial Officer, who will raise issues to those charged with governance, as appropriate.
Our audit committee, a subcommittee of our board of directors, has been delegated responsibility for oversight of cybersecurity risk management, which includes reviewing our cybersecurity and other information, technology risks, controls and procedures, including our plans to mitigate and respond to cybersecurity risks. The Head of IT, alongside the Chief Legal and Compliance Officer, and Chief Financial Officer, provide quarterly reports to the audit committee covering cybersecurity and other information technology risks affecting us. These reports may include reviewing our current infrastructure and the status of key cybersecurity initiatives, including the status of ongoing mitigation efforts, providing insights into the latest cybersecurity threats, and discussing any recent security incidents impacting our peer companies. Periodically, or in the event of a critical cybersecurity incident, the Chief Legal and Compliance Officer, and Chief Financial Officer will provide our full board of directors with findings and recommendations from these reports.