Fulcrum Therapeutics, Inc. - (FULC)

10-K Filing Date: February 27, 2024
Item 1C. Cybersecurity

Cyber Risk Management and Strategy

At Fulcrum Therapeutics, we recognize the importance of assessing, identifying, and managing risks from cybersecurity threats. We have implemented a cybersecurity risk management process in accordance with our risk profile and business that is informed by industry standards and is integrated into our enterprise risk management process.

We leverage the support of third-party information technology and security providers, including for periodic security testing and risk assessments, as part of our risk management process, designed to identify, assess, and manage cybersecurity risks. We conduct employee cybersecurity training and maintain an incident response and notification plan designed to assist us in identifying, responding to, and recovering from cybersecurity incidents. Further, we intend to evaluate and update our existing cybersecurity policies and procedures as appropriate to continue to align them to our risk profile.

We have a process to assess the security practices of certain third-party vendors, including through the use of vendor security questionnaires, as appropriate.

Although risks from cybersecurity threats have to date not materially affected us, our business strategy, results of operations or financial condition, we have, from time to time, experienced threats to and breaches of our and our third party vendors’ data and systems. For more information about these risks, please refer to the section entitled “Risk Factors” in this Annual Report on Form 10-K.

Governance Related to Cybersecurity Risks

Our Executive Director, IT & Operations, or Executive Director, who reports to the Chief Financial Officer, is responsible for the strategic leadership and direction of our cybersecurity program. With over 15 years of experience in information technology, the Executive Director works alongside individuals across other functions, such as legal and engineering, to establish and implement our cybersecurity strategy.

The Executive Director and our Chief Legal Officer participate in periodic discussions with other members of our management, including executive leadership, regarding implementation of our cybersecurity program, program enhancements, and relevant cyber risks or threats. Our Chief Legal Officer has received the National Association of Corporate Directors CERT Certificate in Cyber-Risk Oversight.

Our audit committee has oversight over cybersecurity risks. With the input of the executive team, the Executive Director provides annual presentations to the audit committee on our cyber program, including updates on security testing and assessments, cyber risks, and related cyber strategy as applicable. The management team will also update the full board of directors on matters related to cybersecurity as needed.

Additionally, we have implemented an enterprise risk management process, which addresses cyber risks. This process is led by our Chief Legal Officer and includes participation by the board of directors, as appropriate. Our Chief Legal Officer reports regularly on the enterprise risk management process to executive leadership and the audit committee.