CERO THERAPEUTICS HOLDINGS, INC. - (CERO)
10-K Filing Date: April 02, 2024
We use, store and process data for R&D and business operations. Such data includes, but is not limited to, scientific and clinical data, financial data, strategic information, as well as information about employees, shareholders, suppliers. This makes us subject to various cybersecurity risks that could adversely affect our business, financial condition, and results of operations through intellectual property theft, financial theft, fraud, extortion; harm to employees, violation of privacy laws, other litigation and legal risk, and reputational risk.
We have adopted an Enterprise Risk Management (“ERM”) policy that includes cybersecurity risk management as a key area to which the ERM policy is applied. Our ERM program is designed to define the corporate risk tolerance and align assumed risks to that tolerance through risk identification, prioritization, assessment, mitigation and planned responses if risk is realized. These elements are applied to cyber-security as well as other origins of risk.
Risk Management Oversight and Governance
Under the ultimate direction of our Chief Executive Officer and executive management team, our risk committee (the “Risk Committee”) has primary responsibility for overseeing the management of cybersecurity risks. It is chaired by our chief financial officer (the “Chief Financial Officer”). Other members of the committee include internal or external representatives with relevant knowledge from the R&D, information technology, and legal functions as well as senior management. Our Chief Financial Officer has 25 years of experience, several of them as the responsible individual for information technology, cyber risk management, and executive head of risk management.
In addition to frequent electronic communication, the committee meets periodically and as circumstances warrant to discuss and monitor prevention, detection, mitigation and remediation of risks from cybersecurity threats. On a regular basis, the Chief Financial Officer also updates the executive management team on developments within the cybersecurity sphere.
The board of directors has delegated oversight of our cybersecurity program to the Audit Committee. As provided in the Audit Committee charter, the Audit Committee is responsible for review and assessment of a) cyber-security procedures and policies, b) cyber-security related risk mitigation initiatives, c) significant existing or emerging cyber-security risks (if any), d) reviewing the impact, execution of event-related plans, and e) disclosure requirements for any significant cybersecurity incident.
Our Chief Financial Officer meets on a periodic basis with the Audit Committee of the board of directors to discuss management’s ongoing cybersecurity risk management programs. Information will be provided about the sources and nature of cyber-security risks we face, how management assesses likelihood and severity of the impact of such risks, progress on any active projects as well any current developments in the cybersecurity landscape. At the Audit Committee’s discretion, material findings may be escalated to the entire board of directors. The chair of the Audit Committee is a Chief Financial Officer with existing cyber-security and risk management responsibilities at a similar public company.
Processes for the Identification of Cybersecurity Threats
Under the guidance of the Risk Committee of the board of directors and the Chief Financial Officer, we have adopted a cybersecurity risk management program that addresses four key areas:
● | Identification of assets at risk from cybersecurity threats |
● | Identification of potential sources of cybersecurity threats |
86
● | Assessment of the status of protections in place to prevent or mitigate cybersecurity threats |
● | Given that landscape, how to manage cybersecurity risks |
Our risk assessment and mitigation program is centered on three key components:
● | identification of risks, which involved input from different groups across our company; |
● | evaluation of the likelihood of the risks manifesting, the severity of the potential consequences and prioritization of different risk items based on, among other things, importance to the business and cost/benefit analysis to fully address; and |
● | execution – establishment of a program to address. |
Our information technology (the “Information Technology Team”) is responsible for monitoring our information systems for vulnerabilities and mitigating any issues. It works with others within our company to understand the severity of the potential consequences of a cybersecurity incident and to make decisions about how to prioritize mitigation and other initiatives based on, among other things, materiality to the business. The Information Technology Team has processes designed to keep us apprised of the different threats in the cybersecurity landscape – this includes working with consultants, discussions with peers at other companies, and reviewing government alerts and other news items. The team also regularly monitors our network(s) to identify security risks.
We have an employee education program that is designed to raise awareness of cybersecurity threats to reduce our vulnerability as well as to encourage consideration of cybersecurity risks across functions.
We monitor risks through active (e.g., vulnerability scans) and passive (e.g., end-point protection) methods and addresses system alerts on a constant basis.
As part of the assessment of the protections we have in place to mitigate risks from cybersecurity threats, we engage third parties to conduct risk assessments on our systems.
Before purchasing third party technology or other solutions that involve exposure to our assets and electronic information, our Information Technology Team performs a review on vendors (evaluating suitability, risk, and impact) before they are approved to work with us.