PIERIS PHARMACEUTICALS, INC. - (PIRS)
10-K Filing Date: March 29, 2024
Cybersecurity
We recognize the critical importance of maintaining the trust and confidence of our patients, employees, and business partners toward our business and are committed to protecting the confidentiality, integrity and availability of our business operations and systems. Our audit committee of the board of directors is actively involved in oversight of our risk management activities, and cybersecurity represents an important element of our overall approach to risk management. We have taken into account recognized frameworks established by the National Institute of Standards and Technology, or NIST, when developing cybersecurity policies, standards, processes and practices among other considerations. In general, we seek to address cybersecurity risks through a comprehensive, cross-functional approach that is focused on preserving the confidentiality, security and availability of the information that we collect and store by identifying, preventing and mitigating cybersecurity threats and effectively responding to cybersecurity incidents when they occur.
Cybersecurity Risk Management and Strategy; Effect of Risk
We face risks related to cybersecurity such as unauthorized access, cybersecurity attacks and other security incidents, including as perpetrated by hackers and unintentional damage or disruption to hardware and software systems, loss of data, and misappropriation of confidential information. To identify and assess material risks from cybersecurity threats, we maintain a comprehensive cybersecurity program to ensure our systems are effective and prepared for information security risks, including regular oversight of our programs for security monitoring for internal and external threats to ensure the confidentiality and integrity of our information assets. We consider risks from cybersecurity threats alongside other company risks as part of our overall risk assessment process. We employ a range of tools and services, including phishing training, regular network and endpoint monitoring, audits, vulnerability assessments, to inform our risk identification and assessment. As discussed in more detail under “Cybersecurity Governance; Management” below, our audit committee provides oversight of our cybersecurity risk management and strategy processes, which are led by the General Counsel and third-party information technology and security providers who act as our information technology team.
We also identify our cybersecurity threat risks by comparing our processes to standards set by NIST. To provide for the availability of critical data and systems, maintain regulatory compliance, manage our material risks from cybersecurity threats, and protect against and respond to cybersecurity incidents, we undertake the following activities:
• | monitor emerging data protection laws and implement changes to our processes that are designed to comply with such laws; | |
• | through our policies, practices and contracts (as applicable), require employees, as well as third parties that provide services on our behalf, to treat confidential information and data with care and enter into confidentiality agreements, and enter into data processing agreements with third parties that are processing personal data we control; | |
• | employ technical safeguards that are designed to protect our information systems from cybersecurity threats, including physical security measures to prevent access to data processing systems, firewalls, intrusion prevention and detection systems, email security controls, anti-malware functionality and access controls, endpoint detection and response systems, all of which are evaluated and improved through internal and external vulnerability assessments and cybersecurity threat intelligence; | |
• | provide mandatory training and notifications for our employees and contractors regarding cybersecurity threats as a means to equip them with effective tools to understand, identify and address cybersecurity threats, and to communicate our evolving information security policies, standards, processes and practices; | |
• | conduct mandatory annual phishing training and regular phishing email simulations for all employees and contractors with access to our email systems to enhance awareness and responsiveness to possible threats; | |
• | utilize pseudonymized data for patients and use other encryption methods to ensure security of personal data; | |
• | leverage procedures informed by appropriate incident handling frameworks to help us identify, protect, detect, respond and recover when there is an actual or potential cybersecurity incident; and | |
• | carry information security risk insurance that provides protection against the potential losses arising from a cybersecurity incident. |
Our incident response plan coordinates the activities we take to prepare for, detect, respond to and recover from cybersecurity incidents, which include processes to triage, assess severity for, escalate, contain, investigate and remediate the incident, as well as to comply with potentially applicable legal obligations and mitigate damage to our business and reputation.
As part of the above processes, we engage with third parties, including annually having a qualified third-party review our incident response plan and our cybersecurity measures to help identify areas for continued focus, improvement and compliance.
Our processes also address cybersecurity threat risks associated with our use of third-party service providers, including those who have access to patient and employee data or our systems. In addition, cybersecurity considerations affect the selection and oversight of our third-party service providers. We perform diligence on third parties that have access to our systems, data or facilities that house such systems or data, and assess cybersecurity threat risks identified through such diligence. Additionally, we generally require those third parties that could introduce significant cybersecurity risk to us to agree by contract to manage their cybersecurity risks in specified ways, for example, by engaging with known, reputable vendors, and requiring they have industry standard safeguards and notification procedures. We may also ask vendors associated with increased cybersecurity risk to complete a periodic questionnaire regarding their security practices for ongoing vendor management purposes.
We describe whether and how risks from identified cybersecurity threats, including as a result of any previous cybersecurity incidents, have materially affected or are reasonably likely to materially affect us, including our business strategy, results of operations, or financial condition, under the heading “Significant disruptions of information technology systems or security breaches could adversely affect our business” in Item 1A, Risk Factors, which disclosures are incorporated by reference herein.
In the last three fiscal years, we have not experienced any material cybersecurity incidents and the expenses we have incurred from cybersecurity incidents were immaterial. We also have not been subject to any penalties or settlements.
Cybersecurity Governance; Management
Cybersecurity is an important part of our risk management processes and an area of focus for our board of directors and management. In general, our board of directors oversees risk management activities designed and implemented by our management, and considers specific risks, including, for example, risks associated with our strategic plan, business operations, and capital structure. Our board of directors executes its oversight responsibility for risk management both directly and through delegating oversight of certain of these risks to its committees, and our board of directors has authorized our audit committee to oversee risks from cybersecurity threats.
At least quarterly, our audit committee receives an update from management of our cybersecurity threat risk management and strategy processes covering topics such as data security posture, results from third-party assessments, our incident response plan, and material cybersecurity threat risks or incidents and developments, as well as the steps management has taken to respond to such risks. In such sessions, our audit committee generally receives materials that include discussions of current and emerging general material cybersecurity threat risks, including our particular cyber risk situation, and describing our ability and strategy to mitigate those risks and may discuss such matters with our Information Technology team or General Counsel. Our audit committee also receives prompt and timely information regarding any cybersecurity incident that meets reporting thresholds, as well as ongoing updates regarding any such incident until it has been addressed.
Members of our audit committee are also encouraged to regularly engage in conversations with management on cybersecurity-related news events and discuss any updates to our cybersecurity risk management and strategy programs. Material cybersecurity threat risks are also considered during separate board meeting discussions of important matters like enterprise risk management, operational budgeting, business continuity planning, mergers and acquisitions, and other relevant matters.
Our cybersecurity risk management and strategy processes, which are discussed in greater detail above, are led by our external Information Technology team, an Information Technology council composed of various management and senior level employees, and the General Counsel. Such individuals have collectively over 10 years of prior work experience in various roles involving managing information security, developing cybersecurity strategy, implementing effective information and cybersecurity programs, as well as several relevant degrees. These management team members are informed about and monitor the prevention, mitigation, detection, and remediation of cybersecurity incidents through their management of, and participation in, the cybersecurity risk management and strategy processes described above, including the operation of our incident response plan. As discussed above, these management team members report to the audit committee of our board of directors about cybersecurity threat risks, among other cybersecurity related matters, at least annually.