HCW Biologics Inc. - (HCWB)
10-K Filing Date: April 01, 2024
Risk Management
We recognize the importance of assessing, identifying, and managing material risks associated with cybersecurity threats, as such term is defined in Item 106(a) of Regulation S-K. These risks include, among other things, operational risks; intellectual property theft; fraud; extortion; harm to employees or customers; violation of privacy or security laws and other litigation and legal risk; and reputational risks.
We also maintain an incident response plan to coordinate the activities we take to protect against, detect, respond to and remediate cybersecurity incidents, as such term is defined in Item 106(a) of Regulation S-K, as well as to comply with potentially applicable legal obligations and mitigate brand and reputational damage.
We have established physical, electronic, and organizational measures to safeguard and secure our systems to prevent a data compromise. Our approach includes, among other things:
These approaches vary in maturity across our business and we work to continually improve them.
As part of the above approach and processes, we periodically engage with assessors, consultants, auditors, and other third-parties, including by annually having a third-party review our cybersecurity program to help identify areas for continued focus, improvement and/or compliance.
Our process for identifying and assessing material risks from cybersecurity threats operates alongside our broader overall risk assessment process, covering all company risks. As part of this process, appropriate HCW personnel collaborate with subject matter specialists, as necessary, to gather insights for identifying and assessing material cybersecurity threat risks, their severity, and potential mitigation.
As of December 31, 2023, we have experienced a few outages which we do not believe impacted the integrity of our data. While we continue to make investments to improve the protection of data and information technology, there can be no assurance that our efforts will prevent service interruptions or security breaches. We describe whether and how risks from identified cybersecurity threats, including as a result of any previous cybersecurity incidents, have materially affected or are reasonably likely to materially affect us, including our business strategy, results of operations, or financial condition, under the heading “Risks Related to Data Privacy and Cybersecurity” included as part of our risk factor disclosures at Item 1A of this Annual Report, which disclosures are incorporated by reference herein.
70
To date, we have not experienced a material cybersecurity incident and the expenses we have incurred from cybersecurity incidents were immaterial. This includes penalties and settlements, of which there were none.
Governance
Cybersecurity is an important part of our risk management processes and an area of increasing focus for our Board and management.
Our Audit Committee of our Board of Directors is responsible for the oversight of risks from cybersecurity threats. At least annually, the Audit Committee receives an overview from management of our cybersecurity threat risk management and strategy processes covering topics such as data security posture, results from third-party assessments, progress towards pre-determined risk-mitigation-related goals, our incident response plan, and material cybersecurity threat risks or incidents and developments, as well as the steps management has taken to respond to such risks. In such sessions, the Audit Committee generally receives materials including a cybersecurity scorecard and other materials indicating current and emerging cybersecurity threat risks, and describing our ability to mitigate those risks, and discusses such matters with our Operations Administrator, who is supported by Compass MSP, a leading provider of technology managed services. Members of the Audit Committee are also encouraged to regularly engage in ad hoc conversations with management on cybersecurity-related news events and discuss any updates to our cybersecurity risk management and strategy programs. Material cybersecurity threat risks may also be considered during separate Board meeting discussions.
Our cybersecurity risk management and strategy processes, which are discussed in greater detail above, are led by our Chief Executive Officer, who has founded and led several biotech companies for over 20 years, all of which have implemented systems and processes to protect sensitive clinical data and patient information. He is supported by our IT consultant, Compass MSP, a leading provider of technology managed services. Our consultant conducts a vulnerability assessment annually and tests our backup and recovery systems frequently.
These members of management are informed about and monitor the prevention, mitigation, detection, and remediation of cybersecurity incidents through their management of, and participation in, the cybersecurity risk management and strategy processes described above, including the operation of our incident response plan. If a cybersecurity incident is determined to be a material cybersecurity incident, our incident response plan and cybersecurity disclosure controls and procedures define the process to disclose such a material cybersecurity incident.