Keros Therapeutics, Inc. - (KROS)
10-K Filing Date: February 28, 2024
ITEM 1C. CYBERSECURITY
Cybersecurity Risk Management and Strategy
We have implemented and maintain various information security processes designed to identify, assess and manage material risks from cybersecurity threats to our critical computer networks, third party hosted services, communications systems, hardware and software, and our critical data, including intellectual property, confidential information that is proprietary, strategic or competitive in nature, and data and information related to our product candidates, preclinical studies and clinical trials, which we refer to collectively as Information Systems and Data.
Our information technology and security, or IT, team and risk committee, together with our third-party service providers, help identify, assess and manage our cybersecurity threats and risks. In doing so, they identify and assess risks from cybersecurity threats by monitoring and evaluating our threat environment and the Company’s risk profile using a multi-faceted approach including use of automated tools, internal and external IT audits, and IT security, governance, risk and compliance reviews, reviewing reports and using services that identify cybersecurity threats, conducting threat and vulnerability assessments, and evaluating reported threats as well as the industry’s risk profile.
We implement and maintain various technical, physical, and organizational measures, processes, standards and policies designed to manage and mitigate material risks from cybersecurity threats to our Information Systems and Data, including, for example: maintaining an incident response plan and policy, incident detection and response, maintaining a vulnerability management policy, maintaining disaster recovery and business continuity plans, conducting risk assessments, implementing security standards and certifications, maintaining network security controls, access controls, and physical security measures, asset management, systems monitoring, conducting proactive privacy and cybersecurity reviews of systems and applications, performing penetration testing using external third-party tools and techniques to test security controls, conducting employee training, monitoring emerging laws and regulations related to data protection and information security and implement appropriate changes and encrypting Information Systems and Data. In addition, we maintain cybersecurity insurance.
Our assessment and management of material risks from cybersecurity threats are integrated into the Company’s overall risk management processes. For example, our IT team works with management to prioritize our risk management processes and mitigate cybersecurity threats that are more likely to lead to a material impact to our business. Additionally, our risk committee evaluates material risks from cybersecurity threats against our overall business objectives and reports to the audit committee of the board of directors, which evaluates our overall enterprise risk.
We use third-party service providers to assist us from time to time to identify, assess, and manage material risks from cybersecurity threats, including for example professional services firms, including legal counsel, threat intelligence service providers, cybersecurity consultants and software providers, managed cybersecurity service providers, penetration testing firms and dark web monitoring services.
Our risk management program also assesses third party risks, and we perform third-party risk management to identify and mitigate risks from third parties such as vendors, suppliers, and other business partners associated with our use of third-party service providers. Cybersecurity risks are evaluated when determining the selection and oversight of applicable third-party service providers when handling or processing our Information Systems and Data. Depending on the nature of the services provided, the sensitivity of the Information Systems and Data at issue, and the identity of the provider, our vendor management process may involve different levels of assessment designed to help identify cybersecurity risks associated with a provider and impose contractual obligations related to cybersecurity on the provider.
For a description of the risks from cybersecurity threats that may materially affect the Company and how they may do so, see our risk factors under Part 1. Item 1A. “Risk Factors” in this Annual Report on Form 10-K, including under the heading “If our internal computer systems, or those used by our contract research organizations, or other contractors or consultants upon which we rely, fail, suffer security incidents, or are or were otherwise compromised, we could experience adverse consequences, including but not limited to regulatory investigations or actions; litigation; fines and penalties; disruptions of our business operations; reputational harm; loss of revenue or profits; loss of customers or sales; and other adverse consequences.”
Cybersecurity Governance
Our board of directors addresses the Company’s cybersecurity risk management as part of its general oversight function. Our audit committee is responsible for overseeing our cybersecurity risk management processes, including oversight and mitigation of risks from cybersecurity threats. Members of our audit committee receive updates on a regular basis from senior management, including leaders from our IT and legal teams regarding matters of cybersecurity. This includes existing and new cybersecurity risks, status on how management is addressing and/or mitigating those risks, cybersecurity and data privacy incidents (if any) and status on key information security initiatives.
92
Our cybersecurity risk assessment and management processes are implemented and maintained by leaders from our IT, finance and legal teams, including our Head of IT, who has experience in various roles involving information technology and cybersecurity. These individuals are informed about, and monitor the prevention, mitigation, detection and remediation of cybersecurity incidents through their management of, and participation in, the cybersecurity risk management and strategy processes described above, including the operation of our incident response plan, and report to our audit committee on any appropriate items.
Our Head of IT is responsible for hiring appropriate personnel, helping to integrate cybersecurity risk considerations into the Company’s overall risk management strategy, and communicating key priorities to relevant personnel. Our Chief Financial Officer is responsible for approving budgets, helping prepare for cybersecurity incidents, approving cybersecurity processes, and reviewing security assessments and other security-related reports.
Our cybersecurity incident response plan is designed to escalate certain cybersecurity incidents to members of management depending on the circumstances, including our Chief Financial Officer, Chief Operating Officer, General Counsel and Head of Human Resources. Incidents are evaluated to determine materiality as well as operational and business impact, and reviewed for privacy impact. Our Head of IT works with the Company’s incident response team to help the Company mitigate and remediate cybersecurity incidents of which they are notified. In addition, our incident response plan includes reporting to our audit committee for certain cybersecurity incidents.