WINDTREE THERAPEUTICS INC /DE/ - (WINT)
10-K Filing Date: April 16, 2024
We use, store, and process data for and about our employees and suppliers. We have implemented a cybersecurity risk management program that is designed to identify, assess, and mitigate risks from cybersecurity threats to this data and our systems.
Risk Management Oversight and Governance
Under the ultimate direction of our Chief Executive Officer, or CEO, and executive management team, our Chief Operating Officer, or COO, has primary responsibility for overseeing our management of cybersecurity risks. Our COO reports directly to our CEO. Our COO has primary responsibility for assessing and managing our cybersecurity threat management program. He has more than 20 years of professional experience and is responsible for our corporate strategy, pipeline development plan, and business development.
The Board of Directors has delegated oversight of the Company’s cybersecurity program to the Audit Committee of the Board of Directors. As provided in the Audit Committee Charter, the Audit Committee is responsible for reviewing reports on data management and security initiatives and significant existing and emerging cybersecurity risks, including cybersecurity incidents, the impact on us and our stockholders of any significant cybersecurity incident and any disclosure obligations arising from any such incidents. The COO reports to the Audit Committee about cybersecurity and cyber risk management on a periodic basis.
Processes for the Identification of Cybersecurity Threats
Our Information Security team is responsible for monitoring our information systems for vulnerabilities and mitigating any issues. It works with other groups in the company to understand the severity of the potential consequences of a cybersecurity incident and to make decisions about how to prioritize mitigation and other initiatives based on, among other things, materiality to the business. The Information Security team has processes designed to keep the company apprised of the different threats in the cybersecurity landscape – this includes interacting with intelligence networks, discussions with peers at other companies, monitoring social media, reviewing government alerts and other news items, and attending security conferences.
We have an employee education program that is designed to raise awareness of cybersecurity threats to reduce our vulnerability as well as to encourage consideration of cybersecurity risks across functions. As part of the assessment of the protections we have in place to mitigate risks from cybersecurity threats, we engage our third-party information technology provider to conduct risk assessments on our systems. To assess the effectiveness of our program, we also have engaged our information technology provider to conduct penetration testing and other vulnerability analyses.
Before purchasing third-party technology or other solutions that involve exposure to our assets and electronic information, our information technology provider conducts an evaluation of the company and software prior to authorizing it for installation.
We have not identified any cybersecurity incidents or threats that have materially affected us or are reasonably likely to materially affect us, including our business strategy, results of operations, or financial condition. However, like other companies in our industry, we and our third-party vendors have from time to time experienced threats that could affect our information or systems. For more information, see the section titled, “Item 1A – Risk Factors.”