Petros Pharmaceuticals, Inc. - (PTPI)

10-K Filing Date: April 01, 2024

ITEM 1C. CYBERSECURITY

We operate in the pharmaceutical industry, which is subject to various cybersecurity risks that could adversely affect our business, financial condition, and results of operations, including: intellectual property theft; fraud; extortion; harm to employees or customers; violation of privacy laws and other litigation and legal risk; and reputational risk. We recognize the critical importance of developing, implementing, and maintaining robust cybersecurity measures to safeguard our information systems and protect the confidentiality, integrity, and availability of our data. We currently have security measures in place to protect customers’, employees’, and vendors’ information and prevent data loss and other security breaches, including a cybersecurity risk assessment program. Both management and the Board of Directors are actively involved in the continuous assessment of risks from cybersecurity threats, including prevention, mitigation, detection, and remediation of cybersecurity incidents.

Members of our executive management team are responsible for day-to-day assessment and management of risks from cybersecurity threats, including the prevention, mitigation, detection, and remediation of cybersecurity incidents. The individuals currently serving in these roles are our President and Chief Commercial Officer and our Vice President, Finance and Chief Accounting Officer. The executive management team monitors current events in order to remain aware of current cybersecurity threats. The executive management team is informed and alerted by our information technology (“IT”) consultant and our frontline personnel of any specific incidents, in addition to cybersecurity risks. Our executive management will inform our Board of Directors of cybersecurity incidents if and when they may arise. Additionally, the Board considers risks from cybersecurity threats as part of its holistic assessment of the risks facing our business.

Our current cybersecurity risk assessment program consists of processes designed to assess, identify and manage cybersecurity risks, including the use of anti-virus software, multi-factor authentication and risky/suspicious log-in monitoring. We leverage the advice of third-party consultants, including our IT consultant, to help us assess and identify risks from cybersecurity threats, including the threat of a cybersecurity incident, and manage our risk assessment program. Among other things, these providers advise on best practices for safeguarding company data.

40

We also have policies and procedures to oversee and identify the risks from cybersecurity threats associated with our use of third-party service providers. Our third-party service providers provide us with SOC-1 reports, which document their internal controls, on a regular basis. Our executive management team reviews these reports as part of its assessment of the effectiveness of our internal control over financial reporting. We use such reports to assess and mitigate the risks associated with the use of third-party providers.

To date, no cybersecurity incident (or aggregation of incidents) or cybersecurity threat has materially affected our results of operations or financial condition. However, an actual or perceived breach of our security could damage our reputation, cause existing customers to discontinue purchasing our products, prevent us from attracting new customers, interfere with our efforts to pursue regulatory approvals for our product candidates, or subject us to third-party lawsuits, regulatory fines or other actions or liabilities, any of which could adversely affect our business, operating results or financial condition. For further information, see “Risk Factors—Cyberattacks and other data security breaches could compromise our proprietary and confidential information, which could harm our business and reputation or cause us to incur increased expenses to address any such breaches.” in Item 1A of this Annual Report on Form 10-K. We have attempted to preemptively mitigate the financial impact of any cybersecurity incident and currently maintain limited cyber liability insurance. However, our cyber liability insurance may be inadequate or may not be available in the future on acceptable terms, or at all. In addition, our cyber liability insurance may not cover all claims made against us, and defending a suit, regardless of its merit, could be costly and divert management’s attention from our business and operations.

41