Aquestive Therapeutics, Inc. - (AQST)
10-K Filing Date: March 05, 2024
Item 1C. Cybersecurity
Risk Management and Strategy
Aquestive’s cybersecurity program is built on three key pillars: Governance, Process, Compliance and Audit. While we face risks from cybersecurity threats that could have a material adverse effect on our business, financial condition, and results of operations, Aquestive’s cybersecurity program is built upon a set of policies, procedures, and standards supported by training and awareness. The cybersecurity team has significant experience in managing cybersecurity programs and has engaged with a MSSP to deploy state of the art cybersecurity technologies and gather threat intelligence and cyber risk trends. The cybersecurity program is executed with the MSSP which provides active threat monitoring, risk assessment and incident response capabilities to timely assess and address any material cyber risk that could impact our business operations. The Senior Vice President of Information Technology (“IT Officer”), along with the broader Information Technology function, is responsible for assessing and managing Aquestive’s cybersecurity risk and informing senior management regarding the prevention, detection, mitigation, and remediation of cybersecurity incidents.
Governance
Role of Management/Board
The IT Officer reports to the Chief Executive Officer and leads our cybersecurity program. Our IT Officer has over ten years of experience in information security strategy and the management of cybersecurity risk. The internal Aquestive IT team has over fifteen years of technical experience, program management and architecture experience in managing cyber risk and information security. In addition, the Audit Committee of the Board oversees Aquestive’s cybersecurity risk exposures. The IT Officer briefs the Audit Committee on the effectiveness of Aquestive's cybersecurity program quarterly with a more in depth review done annually. In addition, cybersecurity risks are also reviewed as part of our overall Enterprise Risk Management program.
We have not encountered any cybersecurity threats or incidents that have had a material impact on our business.