PLUS THERAPEUTICS, INC. - (PSTV)

10-K Filing Date: March 05, 2024
Item 1C. Cybersecurity

 

Cybersecurity Program

We have implemented a cybersecurity program to support both the effectiveness of our systems and our preparedness for information security risks. This program includes a number of safeguards, such as: password protection; multi-factor authentication; monitoring and alerting systems for internal and external threats; and regular evaluations of our cybersecurity program.

We use a risk-based approach with respect to our use and oversight of third-party service providers, tailoring processes according to the nature and sensitivity of the data accessed, processed, or stored by such third-party service provider. We use a number of means to assess cyber risks related to our third-party service providers, including conducting due diligence in connection with onboarding new vendors. We also seek to include appropriate security terms in our contracts, where applicable as part of our oversight of third party providers.

 

Process for Assessing, Identifying and Managing Material Risks from Cybersecurity Threats

We maintain an incident response program. In the event of a cybersecurity incident, designated personnel are responsible for assessing the severity of an incident and associated threat, containing the threat, remediating the threat, including recovery of data and access to systems, analyzing any reporting obligations associated with the incident, and performing post-incident analysis and program enhancements. We maintain a Data Breach Response Policy, which includes an Incident Response Plan (“IRP”) in the event of a significant cybersecurity incident. In the event of a significant cybersecurity incident, our Chief Financial Officer (“CFO”) will chair an incident response team to handle the incident. Such incident response team will include members of IT, finance (if applicable), legal, communications, human resources and any affected unit or department. IT, along with a designated forensic team, will use the IRP to guide the response.

Governance

Management Oversight

The controls and processes employed to assess, identify and manage material risks from cybersecurity threats are implemented and overseen by our Information Technology and Facilities Director (the “ITFD”). Our ITFD is a third-party consultant, from whom we have a dedicated resource who specializes in the industry, has over 25 years of experience addressing cybersecurity risks. Our ITFD is responsible for the day-to-day management of the cybersecurity program, including the prevention, detection, investigation, response to, and recovery from cybersecurity threats and incidents, and is regularly engaged to help ensure the cybersecurity program functions effectively in the face of evolving cybersecurity threats. Our CFO oversees the ITFD and briefs our Board on cybersecurity matters, including the nature and design of our cybersecurity program, and threats, events, and program enhancements.

 

Board Oversight

While the Board has overall responsibility for risk oversight, the Board recently delegated to the audit committee of the Board the responsibility for assisting the Board with cybersecurity disclosure matters. In its oversight role, the Board is expected to specifically consider risks that relate to the reputation of the Company and the general industry in which we operate, including with respect to privacy, information technology and cybersecurity and threats to technology infrastructure.

On a regular basis, the CFO reports to the Board on cybersecurity matters, including key risks, the potential impact of those exposures on the Company’s business, financial results, operations and reputation and the programs and steps implemented by management to monitor and mitigate risks.

Cybersecurity Risks

Our cybersecurity risk management processes are integrated into our overall approach to risk management. Given the nature and size of our Company, we do not have a dedicated enterprise risk function, but our executives regularly consider and evaluate risks to our Company. As part of that risk management process, members of our executive team identify, assess and evaluate risks impacting our operations across the Company, including those risks related to cybersecurity, and raise them for discussion with other executives, and where it is determined to be appropriate, issues are also raised to the Board for consideration.

As of the date of this report, we are not aware of any risks from cybersecurity threats, including as a result of any previous cybersecurity incidents, that have materially affected our business strategy, results of operations or financial condition or are reasonably

50


 

likely to have such a material effect. While we have implemented a cybersecurity program, the techniques used to infiltrate information technology systems continue to evolve. Accordingly, we may not be able to timely detect threats or anticipate and implement adequate security measures. For additional information regarding risks relating to privacy and cybersecurity, see “Item 1A—Risk Factors.”