Annovis Bio, Inc. - (ANVS)
10-K Filing Date: March 29, 2024
Item 1C. Cybersecurity.
Risk Management and Strategy
The Company has adopted processes designed to identify, assess and manage material risks from cybersecurity threats, which are integrated into the Company’s overall risk management systems and processes. Those processes include response to and an assessment of internal and external threats to the security, confidentiality, integrity and availability of our data and information systems, along with other material risks to our operations. The Company references the National Institute of Standards and Technology Cybersecurity Framework to help identify, assess, and manage cybersecurity risks and has adopted and tested a formal cybersecurity incident response plan. As part of our risk management process, the Company engages a third-party provider to conduct periodic maturity assessments. The Company stores data in cloud environments, with security appropriate to the data involved and has adopted controls around, among other things, access and acceptable use, backup and recovery and vendor risk assessment.
Our cybersecurity program is managed by the Annovis Incident Management Committee (the “AIMC”). The AIMC serves as the core team responsible for managing the enterprise-wide cybersecurity policy, maintenance and compliance across all platforms. The AIMC is responsible for the detection and initial assessment of potential cybersecurity threats and incidents. The AIMC classifies detected cyber incidents to allow prioritization, response and escalation. Incidents are documented for internal reporting processes and regularly shared with senior management.
Our third-party IT service provider is a key part of our cybersecurity program. We partner with a cybersecurity company and leverage their technology and expertise to better protect the Company. From time to time, we engage this vendor to monitor our environment, which includes an outsourced security operations center. We may also from time to time engage partners for periodic penetration testing and vulnerability assessments. We intend to continue to work to formalize our cybersecurity program, including developing processes for third-party service provider cyber-risk oversight and management.
In the event of a potential cybersecurity incident, the AIMC will conduct an assessment to determine the nature and scope of the incident and manages the incident in accordance with our incident response plan until the incident is contained and resolved. The AIMC will document findings and make them available to the Disclosure Committee, which includes cross functional senior management representation from, legal, finance, investor relations and business segments. The Disclosure Committee, in conjunction with third-party experts, including outside legal counsel, is responsible for assessing the materiality of any cybersecurity incident and coordinating external communications and disclosures, including with the Securities and Exchange Commission.
As of December 31, 2023, we are not aware of any cybersecurity threats that have materially affected or are reasonably likely to materially affect the Company's business strategy, results of operations, or financial condition, although we may be materially affected in the future by such risks or future material incidents. See “Risk Factors—Risks Related to Our Business Operations—Disruption, failure or cyber security breaches affecting or targeting computers and infrastructure used by us or our business partners may adversely impact our business and operations” for additional information regarding cybersecurity risks.
82
Governance
Roles and Responsibilities
Cybersecurity is an important part of our risk management processes and an area of focus for the Annovis management and Board of Directors. We continue to invest in cybersecurity and enhance our internal controls and processes, which are designed to help protect our systems and the information they contain.
Our Board is actively involved in the assessment, oversight and management of the material risks that could affect the Company. The Board has delegated to the Audit Committee the responsibility to oversee the integrity of the Company’s information technology and cybersecurity risks and to assess the risks and incidents relating to cybersecurity threats. While our Board and Audit Committee oversee cybersecurity risk, management, through the AIMC, is responsible for the implementation and management of cybersecurity risk management systems and processes and for the communication of incidents to senior management and the Audit Committee.
The AIMC meets with the Audit Committee on a quarterly basis and meets with the BOD at least annually. Additionally, the Audit Committee regularly meets with members of the Company’s internal audit function to discuss risk management activities, compliance, best practices, and other related matters.