Athira Pharma, Inc. - (ATHA)
10-K Filing Date: February 22, 2024
Cybersecurity Risk Management Strategy
We have implemented various processes and policies for identifying, assessing, and managing material risks from cybersecurity threats. Our cybersecurity risk management strategy is designed following the Cybersecurity Framework set by the National Institute of Standard and Technology, or NIST.
We assess our information technology, or IT, environment against the NIST Cybersecurity Framework, as well as various cyber-attack vectors, working to identify and remediate risks. We implement reasonable administrative, technical and procedural safeguards to manage cybersecurity risks, for example, by enforcing single sign-on or multi-factor authentication where supported, and the use of mobile device management to secure company resources on employee personal devices. Additionally, we engage third-party cybersecurity experts to assess the security of our network and perform continuous system monitoring, and we engage a third party to perform internal audits of our IT General Controls, or ITGCs. We have implemented certain processes to oversee and identify risks from cybersecurity threats associated with our use of third-party service providers, for example, by evaluating such service providers’ own cybersecurity processes and reviewing available certification and audit reports, including International Organization for Standardization, or ISO, certifications for information security management systems, and System and Organization Controls, or SOC, reports.
At this time, we have not experienced cybersecurity incidents, or are aware of any risks from cybersecurity threats, that have materially affected or are reasonably likely to materially affect us, including our business strategy, results of operations, or financial condition.
Cybersecurity Governance
Board of Directors
Our board of directors is responsible for general oversight and regular review of information regarding our risks, including cybersecurity risks. Members of management communicate an overview of our current cybersecurity environment to our board of directors at least annually and provide updates to our board of directors regarding cybersecurity matters periodically throughout the year. Additionally, our third-party auditors inform the audit committee of our board of directors of our ITGC framework and control testing results, which include controls related to cybersecurity risks. Further, management has established cybersecurity incident response processes for escalating the communication of cybersecurity incidents up to the board of directors, as appropriate.
Management
Material risks from cybersecurity threats are assessed and managed by a dedicated team comprised of internal and external IT professionals experienced in cybersecurity threat risk management, who ultimately report to our chief operating officer. Our chief operating officer has extensive strategic and operational experience at several life sciences companies, leading a wide range of business functions, including IT. Our technology team leader has over 20 years of experience with IT and cybersecurity risk management, having served in senior executive-level IT positions at multiple Fortune 500 companies and companies within the life sciences industry.
The technology team leader oversees our internal team of IT professionals, which continuously monitors our IT environment for cybersecurity threats and incidents. Our IT professionals routinely report on cybersecurity incident prevention, detection, mitigation, and remediation efforts to our technology team leader and chief operating officer. Additionally, we have established policies addressing processes for responding to potential cybersecurity incidents, including assessment, communication, and remediation
114
protocols. Our incident response processes further provide for the escalation of cybersecurity incidents to our executive management team and board of directors, as appropriate.