CervoMed Inc. - (CRVO)
10-K Filing Date: March 29, 2024
CYBERSECURITY
Cybersecurity Risk Management Program Overview
We recognize the critical role that properly managing cybersecurity risk plays in maintaining the trust and confidence of our stockholders, the patients in our clinical trials, our employees, our business partners and our other stakeholders. Accordingly, our cybersecurity program is designed to identify, assess, manage and mitigate material risks from cybersecurity threats through a variety measures, including risk assessments, implementation of security measures, and ongoing monitoring of systems and networks. In collaboration with our third-party information technology service providers, a cross-functional team comprised of representatives from our administrative, finance and legal functions actively monitor the current threat landscape in an effort to identify material risks arising from new and evolving cybersecurity threats. We also engage external experts, including information technology experts, other consultants, and auditors to evaluate our cybersecurity measures and risk management processes.
We also identify our cybersecurity threat risks by comparing our processes to industry standards and best practices as well as by engaging experts to manage our information systems. To provide for the availability of critical data and systems, maintain regulatory compliance, manage our material risks from cybersecurity threats, and protect against and respond to cybersecurity incidents, we undertake the following activities:
● | monitor emerging data protection laws and implement changes to our processes that are designed to comply with such laws; |
● | through our policies, practices and contracts (as applicable), require employees, as well as third parties that provide services on our behalf, to treat confidential information and data with care; |
● | employ technical safeguards that are designed to protect our information systems from cybersecurity threats, which are evaluated and improved through vulnerability assessments and other evaluations on a routine basis; |
● | provide training for our employees regarding cybersecurity threats as a means to equip them with effective tools to address cybersecurity threats, and to communicate our evolving information security policies, standards, processes and practices; |
● | leverage threat intelligence available to us and our third party IT service provider to help us identify, protect, detect, respond and recover when there is an actual or potential cybersecurity incident; and |
● | carry information security risk insurance that provides protection against the potential losses arising from a cybersecurity incident. |
Board Oversight of Cybersecurity Risk Management and Governance
Our Board is responsible for general oversight of our risk environment and associated management policies and practices and has delegated to its Audit Committee the responsibility for oversight of our certain major risk categories and exposures, including with respect to cybersecurity and management’s processes to monitor and control them. The Audit Committee meets regularly throughout the year and, on no less than a quarterly basis, receives and reviews a report from management, including the Company’s General Counsel, regarding the Company’s IT, cybersecurity, data security, and physical security risk, including any suspected material or immaterial cybersecurity incidents during the preceding quarter, if any, and discusses such matters with appropriate management and other personnel. In addition, on a semi-annual basis, the Audit Committee receives a report from the Company’s primary third-party information technology and cybersecurity regarding the Company’s IT environment, overall cybersecurity risk management program and strategy and education regarding emerging trends and threats.
Management's Role in Cybersecurity Risk Management and Governance
Our executive management team is responsible for assessing and managing material risks from cybersecurity threats and possess relevant experience and expertise in various disciplines that are key to effectively managing such risks. The experience and expertise of our executive management team is also supplemented by our external IT service providers that collectively have extensive, broad experience and expertise in these areas. Our executive management team reports information about such risks to the Audit Committee of the Board on at least a quarterly basis.
We depend on and engage various other third parties, including suppliers, vendors, and service providers, to support key elements of our business including our information technology infrastructure. Our processes address cybersecurity threat risks associated with our use of such third-party service providers. In addition, cybersecurity considerations affect the selection and oversight of our third-party service providers. We perform diligence on third parties that have access to our systems, data or facilities that house such systems or data, and continually monitor cybersecurity threat risks identified through such diligence. Our management is informed about and monitors the prevention, detection, mitigation, and remediation of cybersecurity incidents, including through the receipt of notifications from service providers and reliance on communications with risk management, legal, information technology, and/or compliance personnel.
In response to an identified cybersecurity incident, a group comprised of appropriate management personnel, our third-party information technology service provider and, depending on the scope and severity of the incident, additional third-party subject matters experts, will be assembled to develop and implement a response strategy to contain, control, and remediate the cybersecurity incident, including securing our affected systems and/or information, mitigating harmful effects of the incident, preventing further compromises, and communicating information to affected parties, regulatory agencies and law enforcement, as necessary. This group will also report any such cybersecurity incident to the Audit Committee of the Board.
Assessment of Cybersecurity Risk
The potential impact of risks from cybersecurity threats are assessed on an ongoing basis by both management and the Board, including how such risks could materially affect our business strategy, operational results, and financial condition.
As of the date of this Annual Report, we have not experienced a cybersecurity incident that results in a material effect on our business strategy, results of operations or financial condition, but we cannot provide assurance that we will not be materially affected in the future by such an incident or risks related thereto.
We describe whether and how risks from identified cybersecurity threats, including as a result of any previous cybersecurity incidents, have materially affected or are reasonably likely to materially affect us, including our business strategy, results of operations, or financial condition, under the heading Item 1A. Risk Factors – General Risks Related to the Company’s Business and Operations,” which disclosures are incorporated by reference herein.
|