AEON Biopharma, Inc. - (AEON)

10-K Filing Date: March 29, 2024
Item 1C. Cybersecurity

We maintain a cybersecurity risk management program designed to identify, assess, manage, mitigate, and respond to cybersecurity threats and to protect the confidentiality, integrity, and availability of our critical systems and information.

The underlying process and controls of our cyber risk management program incorporate recognized best practices and standards for cybersecurity and information technology (“IT”), including the National Institute of Standards and Technology Cybersecurity Framework (NIST CSF). We have an annual risk assessment performed by a third-party specialist of our cyber risk management program against the NIST CSF. This assessment identifies, quantifies, and categorizes material cyber risks. In addition, the Company, in conjunction with our third-party specialists, have developed a risk mitigation plan to address such risks, and where necessary, to remediate potential vulnerabilities identified through the assessment process.

We maintain policies and processes over areas such as information security, IT asset lifecycle, data destruction, backup, access provisioning, and maintenance of network accounts, to help govern the processes put in place by management designed to protect our IT assets, data, and services from threats and vulnerabilities. We partner with cybersecurity providers and consultants (collectively, “providers”) leveraging third-party technology and expertise. These providers are a key part of our cybersecurity risk management strategy and infrastructure. These providers deliver services including systems inventory monitoring, vulnerability testing, user management including restricted access of privileged accounts, capacity monitoring, network protection and monitoring, endpoint protection, managed detection and response, remote monitoring and management, cybersecurity user awareness training, data backup management, incident response, cybersecurity strategy, and cyber risk advisory, assessment, and remediation.

Our management team, in conjunction with our third-party IT and cybersecurity service providers, is responsible for oversight and administration of our cyber risk management program, and for informing senior management and other relevant stakeholders regarding the prevention, detection, mitigation, and remediation of cybersecurity incidents. Our management team, in conjunction with our strategic third-party partners, oversees our cybersecurity technologies, initiatives, and processes, and relies on threat intelligence as well as other information obtained from governmental, public, or private sources, including external consultants engaged for strategic cyber risk management, advisory and decision making.

We have implemented third-party risk management processes to manage the risks associated with reliance on vendors, critical service providers, and other third-parties that may lead to a service disruption or an adverse cybersecurity incident. This includes an assessment of vendors during the selection and onboarding process, review of System and Organization Control (SOC) reports on an annual basis and a regular review of vendor contracts.

We face risks from cybersecurity threats that could have a material adverse effect on our business, financial condition, results of operations, cash flows or reputation. We acknowledge that the risk of cyber incidents is prevalent in the current threat landscape and that a future cyber incident may occur in the normal course of business. The Company has not identified risks from known cybersecurity threats, including as a result of any prior cybersecurity incidents, that have materially affected or are reasonably likely to materially affect us, including our operations, business strategy, financial condition, results of operations, or cash flows. We proactively seek to detect and investigate unauthorized attempts and attacks against IT assets, data, and services, and to prevent their occurrence and recurrence where practicable; however, potential vulnerabilities to known or unknown threats will still remain.

77

Further, there is increasing regulation regarding responses to cybersecurity incidents, including reporting to regulators, investors, and additional stakeholders, which could subject the Company to additional liability and reputational harm. In response to such risks, we have implemented initiatives such as implementation of the cybersecurity risk assessment process and development of an incident response plan.

For more information, see the section titled “Risk Factor— Our business and operations would suffer in the event of computer system failures, including but not limited to our information technology systems, infrastructure and data, or those of our third-party vendors, contractors or consultants failing, becoming unavailable, or suffering security breaches, losses or leakages of data and other disruptions, which could result in disruption of our services, compromise sensitive information (including personal information) related to our business, or prevent us from accessing critical information, potentially exposing us to liability or otherwise adversely affecting our business.”

Cybersecurity Governance

Our Board considers cybersecurity risk as part of its risk oversight function and has delegated to the Audit Committee (the “Committee”) oversight of cybersecurity, data privacy and other information technology risks. The Committee oversees management’s implementation of our cybersecurity risk management program and cybersecurity risk exposures, and the steps taken by management to monitor and mitigate cybersecurity risks. The Committee is composed of members of our board of directors with diverse expertise, including risk management, biotechnology, chief executive officer and chief financial officer roles, and multiple public company directorships, which has prepared them to oversee our cybersecurity risks.

The Committee receives periodic reports from management on our cybersecurity risks. In addition, management updates the Committee, as necessary, regarding any material cybersecurity incidents, as well as any incidents with lesser impact potential.

The Committee reports to the Board regarding its activities, including those related to cybersecurity. The Board also receives briefings from management on our cybersecurity risk management program. Board members receive presentations on cybersecurity topics from our Chief Financial Officer and EVP, Chief Legal Officer, internal security consultants and external experts as part of the Board’s continuing education on topics that impact public companies.

Our management team, including our Chief Financial Officer and EVP, Chief Legal Officer, is responsible for assessing and managing our material risks from cybersecurity threats. The team has primary responsibility for our overall cybersecurity risk management program and supervises efforts to prevent, detect, mitigate and remediate cybersecurity risks and incidents through various means, which may include briefings from internal security consultants; threat intelligence and other information obtained from governmental, public or private sources, including external consultants engaged by us; and alerts and reports produced by security tools deployed in the information technology environment. Our management team’s experience includes monitoring the cybersecurity landscape for new risks and best practices, developing and executing cybersecurity strategies, overseeing related governance policies, testing compliance with applicable technical standards, remediating known risks and leading employee training programs.