Tracon Pharmaceuticals, Inc. - (TCON)

10-K Filing Date: March 05, 2024
Item 1C.Cybersecurity.

Risk management and strategy

We have implemented and maintain various information security processes designed to identify, assess and manage material risks from cybersecurity threats to our critical computer networks, third party hosted services, communications systems, hardware and software, and our critical data, including intellectual property, and confidential information that is proprietary, strategic or competitive in nature (Information Systems and Data).

65


 

Our IT personnel, third-party service providers, and Board help identify, assess and manage the Company’s cybersecurity threats and risks. In doing so, they identify and assess risks from cybersecurity threats by monitoring and evaluating our threat environment and the Company’s and industry’s risk profile using various methods including, for example, manual and automated tools, subscribing to reports and services that identify cybersecurity threats, conducting scans of potential threat environments, and evaluating threats reported to us.

Depending on the environment, we implement and maintain various technical, physical, and organizational measures, processes, standards and policies designed to manage and mitigate material risks from cybersecurity threats to our Information Systems and Data, including, for example: maintaining disaster recovery and business continuity plans, conducting risk assessments, implementing security standards and certifications, encrypting data, maintaining network security controls, access controls, physical security measures, and system monitoring tools, conducting employee training, and maintaining cybersecurity insurance.

Our assessment and management of material risks from cybersecurity threats are integrated into the Company’s overall risk management processes. For example, cybersecurity risk is addressed as a component of the Company’s enterprise risk management program with our Board maintaining oversight of cybersecurity risk management, and, to that end, the Board typically meets regularly with business personnel responsible for cybersecurity risk management and receives periodic reports.

We use third-party service providers to assist us from time to time to identify, assess, and manage material risks from cybersecurity threats, including, for example, third-party cybersecurity software providers. Additionally, we use third-party service providers to perform a variety of functions throughout our business, such as application providers and hosting companies. We have a vendor management program to manage cybersecurity risks associated with our use of these providers, including the performance of audits. Depending on the nature of the services provided, the sensitivity of the Information Systems and Data at issue, and the identity of the provider, our vendor management process may involve different levels of assessment designed to help identify cybersecurity risks associated with a provider and impose contractual obligations related to cybersecurity on the provider. For a description of the risks from cybersecurity threats that may materially affect the Company and how they may do so, see our risk factors under Part 1. Item 1A. Risk Factors in this Annual Report, including the “If our information technology systems or data, or those of third parties upon which we rely, are or were compromised, we could experience adverse consequences resulting from such compromise, including but not limited to interruptions to our operations such as our clinical trials; regulatory investigations or actions; litigation; fines and penalties; disruptions of our business operations; reputational harm; loss of revenue or profits; and other adverse consequences” risk factor.

Governance

Our Board addresses the Company’s cybersecurity risk management as part of its general oversight function. The Board is responsible for overseeing the Company’s cybersecurity risk management processes, including oversight and mitigation of risks from cybersecurity threats.

Our cybersecurity risk assessment and management processes are implemented and maintained by certain Company management, including our Director of Information Technology who has over twenty years of experience in IT and Systems Administration.

Our Director of Information Technology and Chief Financial Officer (CFO) are responsible for hiring appropriate personnel, helping to integrate cybersecurity risk considerations into the Company’s overall risk management strategy, and communicating key priorities to relevant personnel. Our CFO is responsible for approving budgets, helping prepare for cybersecurity incidents, approving cybersecurity processes, and reviewing security assessments and other security-related reports.

Our cybersecurity incident response processes are designed to escalate certain cybersecurity incidents to members of management depending on the circumstances, including our CFO and CEO. The CFO and CEO work with the Director of Information Technology to help the Company mitigate and remediate cybersecurity incidents of which they are notified. In addition, the Company’s incident response processes include reporting to the Board certain cybersecurity incidents.

The Board receives regular reports from the CFO concerning the Company’s significant cybersecurity threats and risk and the processes the Company has implemented to address them. The Board also has access to various reports, summaries or presentations related to cybersecurity threats, risk and mitigation.