Tonix Pharmaceuticals Holding Corp. - (TNXP)

10-K Filing Date: April 01, 2024
ITEM 1C. Cybersecurity Disclosures

 

Cybersecurity Risk Management

 

We, like other companies in our industry, face several cybersecurity risks in connection with our business. Our business strategy, results of operations, and financial condition have not, to date, been affected by risks from cybersecurity threats. During the reporting period, we have not experienced any material cyber incidents, nor have we experienced a series of immaterial incidents, which would require disclosure.

 

In the ordinary course of our business, we use, store and process data including data of our employees, partners, collaborators, and vendors. To effectively prevent, detect, and respond to cybersecurity threats, we maintain a cyber risk management program, which is comprised of a wide array of policies, standards, architecture, and processes. The cyber risk management program falls under the responsibility of our Director of Information Technology (“IT”), who has cross-functional expertise in IT, computer science, cyber security, and more than 20 years of experience. The IT Director leads a team of IT specialists with similar IT and cybersecurity backgrounds. Under the guidance of our IT Head, we develop, maintain, and evidence the policies, standards, and processes in a manner consistent with applicable legal requirements. We also utilize a variety of cybersecurity software from reputable vendors in cybersecurity.  

 

72

 

 

We have implemented a cybersecurity risk management program that is designed to identify, assess, and mitigate risks from cybersecurity threats to this data and our systems and ensure the effectiveness of our security controls. Our cybersecurity risk management program is intended to address applicable NIST 800-171 & CMMC requirements for our business. Our cybersecurity risk management program incorporates several components, including information security program assessments, continuous monitoring of critical risks from cybersecurity threats using automated tools, backup testing, periodic threat testing, and documented standards, policies, and procedures. We deploy a wide range of security tools across the environment, and implement access control policies to further limit access to data within the systems.

 

We periodically engage third parties to conduct risk assessments, including penetration testing, tabletops and other system vulnerability analyses. As a result of these assessments and testing, we have not identified any material cybersecurity risks and are constantly hardening our environment. Additionally, our program includes annual cybersecurity training for all employees.

 

Cybersecurity Governance

 

Our Board of Directors (“Board”) is responsible for the oversight of cybersecurity risk management. The Board delegates oversight of the cybersecurity risk management program to the Information Security Oversight Committee (“ISOC"). The Chief Financial Officer (“CFO”), who serves on ISOC, provides updates to the Audit Committee on our cybersecurity risk management program, including any critical cybersecurity risks, ongoing cybersecurity initiatives and strategies, and applicable regulatory requirements and industry standards on a quarterly basis. The CFO also notifies the Board and Audit Committee of any cybersecurity incidents (suspected or actual) and provides updates on the incidents as well as cybersecurity risk mitigation activities as appropriate.