Quince Therapeutics, Inc. - (QNCX)

10-K Filing Date: April 01, 2024
Item 1C. Cybersecurity.

Our board of directors addresses the Company’s cybersecurity risk management as part of its general oversight function. The board of directors’ Audit Committee is responsible for overseeing Company’s our risk management processes, including oversight and mitigation of risks from cybersecurity threats. Management is responsible for the day-to-day administration of our risk management program and our cybersecurity policies, processes, and practices.

Cybersecurity Risk Management and Strategy

We have implemented and maintain various information security processes designed to identify, assess and manage material risks from cybersecurity threats to our critical computer networks, third party hosted services, communications systems, hardware and software, and our critical data (including intellectual property, confidential information that is proprietary, strategic or competitive in nature (collectively, “Information Systems and Data”).

We have implemented a cross-functional approach to assessing, identifying and managing material cybersecurity threats and incidents. Our Information Systems Representative and Chief Operating Officer identify and assess risks from cybersecurity threats by monitoring and evaluating our threat environment. We use various methods designed to accomplish this task including, for example: manual and automated tools, subscriptions to reports and services that identify cybersecurity threats, analyzing reports of threats and threat actors, and evaluating threats reported to us.

Depending on the relevant information systems environment, we implement and maintain various technical, physical, and organizational measures, processes, standards and policies designed to manage and mitigate material risks from cybersecurity threats to our Information Systems and Data, including, for example: incident detection and response strategies, systems monitoring, personnel training, cybersecurity insurance, data encryption strategies, network security controls, access controls, physical security controls, and asset management (such as tracking and disposal of Company information systems).

Our assessment and management of material risks from cybersecurity threats are integrated into the Company’s overall risk management processes. For example, our IT Department works with management in an effort to prioritize our risk management processes and mitigate cybersecurity threats that are more likely to lead to a material impact to our business.

We use service providers to assist us from time to time in an effort to identify, assess, and manage material risks from cybersecurity threats, including, for example, cybersecurity software providers and professional services firms (including legal counsel). We also use service providers to perform a variety of functions throughout our business, such as application providers, data hosting providers, and CROs. We have a vendor management strategy designed to manage cybersecurity risks associated with our use of these providers. Depending on the nature of the services provided, the sensitivity of the Information Systems and Data at issue, and the identity of the provider, our vendor management strategies may involve different levels of assessment designed to help identify cybersecurity risks associated with a provider and impose contractual obligations related to cybersecurity on the provider, such as reviewing their information security documentation and imposing contractual obligations on them with respect to their information security controls.

For a description of the risks from cybersecurity threats that may materially affect the Company and how they may do so, see our risk factors under Part 1. Item 1A. Risk Factors in this Annual Report on Form 10-K, including Our internal computer systems, or those used by our third-party research institution collaborators, CROs or other contractors or consultants, may fail or suffer security breaches, which could result in adverse consequences including, but not limited to, regulatory investigations or actions, litigation, fines/penalties, disruptions of our business operations, reputational harm, and loss of revenue or profits.

Governance

Our board of directors addresses the Company’s cybersecurity risk management as part of its general oversight function. The board of directors’ Audit Committee is responsible for overseeing Company’s cybersecurity risk management processes, including oversight and mitigation of risks from cybersecurity threats. Our Audit Committee receives regular presentations and reports on developments in the cybersecurity space, including risk management practices, recent developments, evolving standards, threats, risks and mitigation. Our Audit Committee also receives prompt and timely information regarding any cybersecurity risk that meets pre-established reporting thresholds, as well as ongoing updates regarding any such risk.

Our Information Systems Representative, in coordination with senior management including our Chief Operating Officer works collaboratively across our company to implement a program designed to protect our information systems from cybersecurity threats and to promptly respond to any material cybersecurity incidents in accordance with our incident response and recovery plans. To facilitate the success of our cybersecurity program, cross-functional teams throughout our company address cybersecurity threats

82


 

and respond to cybersecurity incidents. Through ongoing communications with these teams, the Information Systems Representative and senior management are informed about and monitor the prevention, detection, mitigation and remediation of cybersecurity threats and incidents in real time and report such threats and incidents to the Audit Committee when appropriate. The Information Systems Representative has served in various roles in information technology and information security for over 25 years, including serving as the Director of Information Technology of another public company. Our Chief Operating Officer has over 7 years of experience managing information technology, including cybersecurity and risk management.