Kura Oncology, Inc. - (KURA)

10-K Filing Date: February 27, 2024
Item 1C. Cybersecurity.

Risk Management and Strategy

We have implemented and maintain various information security processes designed to identify, assess and manage material risks from cybersecurity threats to our critical computer networks, third party hosted services, communications systems, hardware and software, and our critical data, including intellectual property, confidential information that is proprietary, strategic, financial, or competitive in nature, information related to our clinical trials and preclinical studies and information of our employees, or Information Systems and Data.

Our Information Technology, or IT, department identifies and assesses risks from cybersecurity threats by monitoring and evaluating our threat environment using various methods including, for example, manual and automated tools, subscribing to and analyzing reports and services that identify cybersecurity threats and threat actors, evaluating threats that are reported to us, using external intelligence feeds, engaging in internal and external audits, and engaging third parties to conduct threat assessments.

Depending on the environment, we implement and maintain various technical, physical, and organizational measures, processes, standards and policies designed to manage and mitigate material risks from cybersecurity threats to our Information Systems and Data, including, for example, a disaster recover/business continuity plan and information security policy, encrypting certain data, data segmentation, network security controls, access and physical security controls, asset management, tracking and disposal, systems monitoring, employee training, maintaining cyber insurance and using third party threat detection software.

The head of our IT department reports to our Chief Operating Officer, or COO, and works with management to prioritize our risk management processes and mitigate cybersecurity threats that are more likely to lead to a material impact to our business. We have established an Incident Review Team, which consists of representatives of our Finance, IT and Legal departments, to investigate, evaluate and respond to cybersecurity incidents. The Incident Review Team is responsible for escalating confirmed cybersecurity incidents to a Materiality Assessment Team, consisting of members of management. The Materiality Assessment Team is responsible for reporting cybersecurity incidents to the audit committee of the board of directors, as appropriate based upon the nature of the incident (or series of incidents).

We use third-party service providers to assist us from time to time to identify, assess, and manage material risks from cybersecurity threats, including for example threat intelligence service providers, cybersecurity software, and darkweb monitoring services. We also use third-party service providers to perform a variety of functions throughout our business, such as application providers and hosting companies.

For a description of the risks from cybersecurity threats that may materially affect us and how they may do so, see our risk factors under Part 1. Item 1A. Risk Factors in this Annual Report on Form 10-K, including the section entitled “Risks Related to Employee Matters, Managing Growth and Macroeconomic Conditions.”

Governance

Our cybersecurity risk assessment and management processes are implemented and maintained by certain company management, including the head of our IT department. The head of IT is responsible for integrating cybersecurity risk considerations into our overall risk management strategy, helping prepare for cybersecurity incidents, approving cybersecurity processes, and reviewing security assessments and other security-related reports.

Our cybersecurity incident response policy is designed to escalate certain cybersecurity incidents to our Materiality Assessment Team, comprised of members of management. In addition, our cybersecurity incident response policy includes reporting to the audit committee of the board of directors for certain cybersecurity incidents.

The audit committee receives regular reports from the head of our IT department concerning the measures we have taken to monitor and evaluate our cybersecurity threat environment and any cybersecurity incidents that have occurred.

74