Eiger BioPharmaceuticals, Inc. - (EIGR)
10-K Filing Date: April 08, 2024
ITEM 1C. Cybersecurity
As cyber-attacks become more prevalent, we’ve taken action to mitigate the threat to our business. As described in more detail below and as part of our risk management program, we have established policies and processes for assessing, identifying, and managing material risks from cybersecurity threats. Cybersecurity is a critical element of this program.
Risk Management and Strategy
Management along with the support of a third-party IT firm are responsible for the day-to-day administration of our risk management program and our cybersecurity policies, processes, and practices.
Identification and Reporting
We implemented a cross-functional approach to assessing, identifying, and managing material cybersecurity threats and incidents. We have put in place controls and procedures to identify, classify, and escalate certain cybersecurity incidents to provide management visibility and obtain direction from management as to the public disclosure and reporting of material incidents in a timely manner. Incidents are reported and tracked through our third-party IT firm's online support system.
Technical Safeguards
We implemented technical safeguards that are designed to protect our information systems from cybersecurity threats, including firewalls, intrusion prevention and detection systems, anti-malware functionality, and access controls, which are evaluated and improved through quarterly vulnerability assessments and cybersecurity threat intelligence, as well as outside periodic audits and certifications.
Incident Response and Recovery Planning
We have established and maintain comprehensive incident response, business continuity, and disaster recovery plans designed to address our response to a cybersecurity incident.
Third-Party Risk Management
We maintain a risk-based approach to identifying and overseeing material cybersecurity threats presented by third parties, including vendors, service providers, and other external users of our systems, as well as the systems of third parties that could adversely impact our business in the event of a material cybersecurity incident affecting those third-party systems, including any outside auditors or consultants who advise on our cybersecurity systems.
Education and Awareness
We provide mandatory training for all employees and consultants regarding cybersecurity threats. The goal of the training is to equip our employees with tools and to raise their awareness of cybersecurity risks the Company faces. We conduct random training campaigns via email to test their knowledge and responses. We regularly communicate tips and current events to keep cybersecurity top of mind.
Governance
Board Oversight
Our Board of Directors, in coordination with our Audit Committee, oversees our risk management program, including the management of cybersecurity threats. Our Audit Committee receive quarterly updates on developments in the cybersecurity space, including risk management practices, recent developments, evolving standards, vulnerability assessments, third-party and independent reviews, the threat environment, technological trends, and information security issues encountered by our peers and third parties.
In the event of a material incident, our Board of Directors and our Audit Committee would receive from management prompt and timely information regarding any cybersecurity risk that meet reporting thresholds, as well as ongoing updates regarding any such risk.
Management’s Role
Management along with the support of a third-party IT firm are responsible for the day-to-day administration of our risk management program and our cybersecurity policies, processes, and practices.
On a monthly basis, the cross functional team meets to discuss current trends in cybersecurity threats and the response required to eliminate the threats.
As of the date of this report, we have not identified any risks from cybersecurity threats, including as a result of any previous cybersecurity incidents, that have materially affected us, our business strategy, results of operation or financial condition. For more information about the risks we face from cybersecurity incidents, please refer to Part I, Item 1A. “Risk Factors” of this report, including under the caption “Failure in our information technology and storage systems or our security measures, including without limitation, data breaches, or inadequacy of our business continuity and disaster recovery plans and procedures, could significantly disrupt the operation of our business.”