Aclaris Therapeutics, Inc. - (ACRS)
10-K Filing Date: February 27, 2024
Risk Management and Strategy
We rely on information technology and data to operate our business of developing new drugs and providing contract research services. Our critical information technology resources include computer networks and hardware, third party hosted services, communications systems and software, and critical data including confidential, personal, proprietary and sensitive data (collectively, “Information Assets”). To operate our business, we also utilize certain third-party service providers to perform a variety of functions, such as professional services, SaaS platforms, managed services, cloud-based infrastructure, encryption and authentication technology, corporate productivity services, and other functions. Accordingly, we have implemented and maintain certain risk assessment processes intended to identify cybersecurity threats, determine their likelihood of occurring, and assess and manage potential material impact to our business. We implement and maintain various information security and risk management processes designed to protect the confidentiality, integrity, and availability of our Information Assets and mitigate harm to our business.
We rely on a multidisciplinary team (including members from information technology (IT), which reports to our Chief Financial Officer, finance, and legal, as well as third party service providers as described further below) to identify, assess, and manage cybersecurity threats that could impact our business. We assess the likelihood that such threats could result in a material impact to our Information Assets, operations, ability to provide our services, core business functions, personnel, reputation and identified critical business objectives.
Risks from cybersecurity threats are among those that we address in our general risk management program. We identify, assess, and manage such threats by, among other things, monitoring the threat environment using manual and automated tools, subscribing to reports and services that identify cybersecurity threats, conducting scans of the threat environment, and conducting vulnerability assessments. We also engage third parties to conduct annual penetrations tests, as well as to provide threat and security risk assessments and intelligence feeds.
Based on our assessment process and depending on the environment, we implement and maintain various technical, physical and organizational measures, processes, standards and policies designed to manage and mitigate such risks and potential material impacts. These measures we implement for certain of our Information Assets include: policies and procedures designed to address cybersecurity threats, including an incident response plan; incident detection and response; risk assessments; background checks on our personnel; encryption of data; network security controls; data segregation; access controls; physical security; asset management, tracking and disposal; employee security training; penetration testing; and cyber insurance.
Our assessment and management of material risks from cybersecurity threats are integrated into our overall risk management processes. For example, the IT department works with management to prioritize our risk management processes and mitigate cybersecurity threats that are more likely to lead to a material impact to our business.
58
We work with third parties from time to time that assist us to identify, assess, and manage material risks from cybersecurity threats, including, for example, professional services firms (including legal counsel), threat intelligence service providers, cybersecurity software providers, managed cybersecurity service providers, forensic investigators, and penetration testing firms.
For a description of the risks from cybersecurity threats that may materially affect us and how they may do so, refer to “Item 1A. Risk factors” in this Annual Report on Form 10-K, including “If our information technology systems, those of third parties upon which we rely, or our data are or were compromised, we could experience adverse consequences resulting from such compromise, including but not limited to regulatory investigations or actions; litigation; fines and penalties; disruptions of our business operations; reputational harm; loss of revenue or profits; and other adverse consequences.”
Governance
Our board of directors, through its Audit Committee, is responsible for overseeing the Company’s risk management strategy with respect to cybersecurity threats. The Audit Committee is responsible for overseeing the Company’s cybersecurity risk management processes, including oversight of mitigation of risks from cybersecurity threats.
Our cybersecurity risk assessment and management processes are implemented and maintained by certain Company management, including our Chief Financial Officer who is supported by our IT department which includes personnel with over 10 years of experience overseeing and working with various cybersecurity tools.
Our cybersecurity risk management strategy relies on input from management to help us understand cybersecurity risks, establish priorities, and determine the scope and details of our cybersecurity program and to implement it. Management, including our Chief Financial Officer, is responsible for approving budgets, helping prepare for cybersecurity incidents, approving cybersecurity processes, and reviewing security assessments and other security-related reports. Management, including our Chief Financial Officer and General Counsel, is also responsible for hiring appropriate personnel, engaging third party vendors, integrating cybersecurity considerations into the company’s overall risk management strategy, approving cybersecurity policies and procedures, and overseeing employee training. Our cybersecurity incident response process involves members of management who also participate in our disclosure controls and procedures.
Our cybersecurity incident response plan and information security incidence response procedures are designed to escalate certain cybersecurity incidents to members of management depending on the circumstances, including the Chief Financial Officer and the General Counsel. The Chief Financial Officer and the General Counsel work with our cybersecurity incident response team to help us mitigate and remediate cybersecurity incidents of which they are notified. In addition, our cybersecurity incident response plan includes reporting to the Audit Committee for certain cybersecurity incidents.
Members of management meet periodically with the IT department to discuss cybersecurity risk and to review our cybersecurity program, and report to the Audit Committee. The Audit Committee holds meetings biannually to discuss cybersecurity issues including our cybersecurity threats, and has a dedicated agenda during such meetings that is designed to assist the Audit Committee to exercise its oversight function. These meetings involve regular presentations and reports from management and third party providers, including updates of contemporary cybersecurity threats faced by us and steps we are taking to address them.