Cogent Biosciences, Inc. - (COGT)
10-K Filing Date: February 26, 2024
Cyber Risk Management and Strategy
We have developed and maintain processes designed to assess, identify, and manage cybersecurity risks from potential unauthorized occurrences on or through our information technology systems that may result in adverse effects on the confidentiality, integrity, and availability of these systems and the data residing therein. The scope of these processes includes risks that may be associated with both out internally managed IT systems and key business functions and sensitive data operated or managed by or maintained at third-party service providers. These processes are managed and monitored by a dedicated information technology team, which is led by our Head of IT, who reports to our Chief Technology Officer, and include mechanisms, controls, technologies, systems, and other processes designed to prevent or mitigate data loss, theft, misuse, or other security incidents or vulnerabilities affecting the data and maintain a stable information technology environment. We constantly monitor our information technology environment for abnormal behavior, conduct penetration and vulnerability testing, data recovery testing, security audits, and ongoing risk assessments, including due diligence on our key technology vendors and other third party service providers that have access to the personal information we collect, use, store, and transmit. We also conduct periodic employee trainings on cyber and information security, among other topics. We leverage standard industry tools from a software and hardware perspective and maintain a cybersecurity risk insurance policy.
In addition, we consult with outside advisors and experts on a regular basis to assist with assessing, identifying, and managing cybersecurity risks, including to anticipate future threats and trends, and their impact on the Company’s risk environment. We have retained VeraSafe, LLC (“VeraSafe”) to help review and monitor our practices and processes related to personal data and compliance with applicable data protection laws. VeraSafe acts as our Data Protection Officer pursuant to the European Union and United Kingdom General Data Protection Regulation and has served in this capacity since May 2021.
We consider cybersecurity, along with other significant risks that we face, within our overall enterprise risk management framework. In the last fiscal year, we have not identified risks from known cybersecurity threats, including as a result of any prior cybersecurity incidents, that have materially affected us, but we face certain ongoing cybersecurity risks threats that, if realized, are reasonably likely to materially affect us. Additional information on cybersecurity risks we face is discussed in Part I, Item 1A, “Risk Factors,” under the heading “Risks Related to Employee Matters and Managing Growth.”
Governance Related to Cybersecurity Risks
The Board of Directors, as a whole and at the committee level, has oversight for the most significant risks facing us and for our processes to identify, prioritize, assess, manage, and mitigate those risks. The Audit Committee, which is comprised solely of independent directors, has been designated by our Board to oversee cybersecurity risks. The Audit Committee receives periodic updates on cybersecurity and information technology matters and related risk exposures. The Board also receives updates from management and the Audit Committee on cybersecurity risks on at least an annual basis.
Our Head of IT, who reports to the Chief Technology Officer, a member of the executive team, has over 20 years of experience managing information technology and cybersecurity matters. The Head of IT and the Chief Technology Officer, together with our senior leadership team, are responsible for assessing and managing cybersecurity risks and they work collaboratively across our company to implement policies and procedures designed to protect our information and systems from cybersecurity threats and to respond promptly to any material cybersecurity incidents in accordance with our incident response plans. A cross-functional team is responsible for responding to cybersecurity incidents.
58