Alaunos Therapeutics, Inc. - (TCRT)
10-K Filing Date: April 01, 2024
Cybersecurity Program
We have implemented a cybersecurity program to support both the effectiveness of our systems and our preparedness for information security risks. This program includes a number of safeguards, such as: password protection; multi-factor authentication; monitoring and alerting systems for internal and external threats; and regular evaluations of our cybersecurity program.
We use a risk-based approach with respect to our use and oversight of third-party service providers, tailoring processes according to the nature and sensitivity of the data accessed, processed, or stored by such third-party service provider. We also seek to include appropriate security terms in our contracts, where applicable as part of our oversight of third-party providers.
Process for Assessing, Identifying and Managing Material Risks from Cybersecurity Threats
We maintain an incident response program. In the event of a cybersecurity incident, designated personnel are responsible for assessing the severity of an incident and associated threat, containing the threat, remediating the threat, including recovery of data and access to systems, analyzing any reporting obligations associated with the incident, and performing post-incident analysis and program enhancements. We maintain an Incident Response Plan, which includes an Incident Response Process in the event of a significant cybersecurity incident. In the event of a significant cybersecurity incident, our head of administration will chair an incident response team to handle the incident. Such incident response team will include members of IT, finance (if applicable), legal, communications, human resources and any affected unit or department. IT, along with a designated forensic team, will use the Incident Response Process to guide the response.
Governance
Management Oversight
The controls and processes employed to assess, identify and manage material risks from cybersecurity threats are implemented and overseen by head of administration and our managed service provider. Our head of administration has over four years of experience addressing cybersecurity risks. Our head of administration is responsible for the day-to-day management of the cybersecurity program, including the prevention, detection, investigation, response to, and recovery from cybersecurity threats and incidents, and is regularly engaged to help ensure the cybersecurity program functions effectively in the face of evolving cybersecurity threats. Our head of administration oversees the Incident Response Plan and briefs our board of directors on cybersecurity matters, including the nature and design of our cybersecurity program, and threats, events, and program enhancements.
Board Oversight
In its oversight role, our Board of Directors is expected to specifically consider risks, including with respect to privacy, information technology and cybersecurity and threats to technology infrastructure.
On a regular basis, the head of administration reports to our Board of Directors on cybersecurity matters, including key risks, the potential impact of those exposures on our business, financial condition, results of operations, cash flows and prospects, and the programs and steps implemented by our management team to monitor and mitigate risks.
Cybersecurity Risks
Our cybersecurity risk management processes are integrated into our overall approach to risk management. Given our nature and size, we do not have a dedicated enterprise risk function, but our management team regularly considers and evaluates risks. As part of that risk management process, our management team identifies, assesses and evaluates risks impacting our operations, including those risks related to cybersecurity, and raise them for internal discussion, and where it is determined to be appropriate, issues are also raised to our Board of Directors for consideration.
As of the date of this Annual Report on Form 10-K, we are not aware of any previous cybersecurity incidents that have materially affected our business, financial condition, results of operations, cash flows and prospects or that are reasonably likely to have such a material effect. While we have implemented a cybersecurity program, the techniques used to infiltrate information technology systems continue to evolve. Accordingly, we may not be able to timely detect threats or anticipate and implement adequate security measures. For additional information regarding risks relating to privacy and cybersecurity, see "Item IA—Risk Factors—Risks Related to Our Business."