Verve Therapeutics, Inc. - (VERV)
10-K Filing Date: February 27, 2024
We have certain processes for assessing, identifying and managing cybersecurity risks, which are built into our overall information technology function and are designed to help protect employee and third party, including patients, information from unauthorized access or attack, as well as secure our networks and systems. Such processes include physical, procedural and technical safeguards and routine review of our policies and procedures to identify risks and enhance our practices. We have developed an incident response policy which is designed to help coordinate our response to, and recovery from, cybersecurity incidents, and includes processes to triage, assess the severity of, escalate, contain, investigate, and remediate incidents, as well as to comply with applicable legal obligations. Internally and through a third-party service provider, we regularly conduct tests on our systems and incident simulations to help discover potential vulnerabilities, which enable improved decision-making and prioritization and promote monitoring and reporting across compliance functions. As part of our overall risk mitigation strategy, we also maintain cyber insurance coverage; however, such insurance coverage may not be sufficient in type or amount to cover us against claims related to security breaches, cyber-attacks and other related breaches.
We engage certain external parties, including consultants, independent privacy assessors, computer security firms and risk management experts, to assess and enhance our cybersecurity oversight. Our third-party security firms periodically assess our cybersecurity process against the National Institute of Standards and Technology Cybersecurity Framework. We consider the internal risk oversight programs of third-party service providers before
124
engaging them in order to help protect us from any related vulnerabilities. We also regularly consult with industry groups on emerging industry trends.
We do not believe that there are currently any known risks from cybersecurity threats that are reasonably likely to materially affect the company or our business strategy, results of operations or financial condition.
The Audit Committee of our Board of Directors provides direct oversight over cybersecurity risk and provides updates to the Board of Directors regarding such oversight. The Audit Committee receives periodic updates from management regarding cybersecurity matters and is notified between such updates regarding significant new cybersecurity threats or incidents.
We have a Vice President, Information Technology, whose team is responsible for leading company-wide cybersecurity strategy, policy, standards and processes and works across relevant departments to assess and prepare the Company and its employees to address cybersecurity risks. The Vice President, Information Technology has a Master of Science in Information Technology and has implemented cybersecurity programs at four companies in the biotechnology industry over a 20-year career.
In an effort to deter and detect cyber threats, we annually provide all employees, including part-time and temporary employees, with a data protection, cybersecurity and incident response and prevention training and compliance program, which covers timely and relevant topics, including social engineering, phishing, password protection, confidential data protection, asset use and mobile security, and educates employees on the importance of reporting all incidents immediately. We also use technology-based tools that are designed to mitigate cybersecurity risks and to bolster our employee-based cybersecurity programs.