Vincerx Pharma, Inc. - (VINC)

10-K Filing Date: March 29, 2024
ITEM 1C.

Cybersecurity.

Risk Management and Strategy

We have developed and implemented a cybersecurity policy for assessing, identifying, and managing material risks from cybersecurity threats and have integrated this policy into our overall risk management framework and policies. This policy applies to all of our employees, contractors, and consultants, and any other users who have permanent or temporary access to our data and systems, regardless of their location, device, or network, and all of our employees, contractors, consultants and other users are expected to read, understand, and adhere to this policy and its associated processes and procedures.

Our cybersecurity policy also encompasses the risks associated with our use of third-party service providers. We conduct assessments of our third-party service providers before engagement and maintain ongoing monitoring intended to ensure compliance with our cybersecurity standards.

We are subject to various cybersecurity risks that could adversely affect our business, financial condition, and results of operations, including intellectual property theft; fraud; extortion; harm to employees, customers, or

 

66


patients; violation of privacy laws; and litigation, legal, and reputational risk. We have implemented an approach to identify and assess the threats and vulnerabilities that could affect our data and systems. Our policy is aligned with industry standards and best practices, such as the National Institute of Standards and Technology’s (“NIST”) Cybersecurity Framework Standard (800-53 -Security and Privacy Controls for information Systems and Organizations).

Supporting technologies, processes, and procedures under our cybersecurity policy include the following:

 

   

identification, credential/authentication, and access management for all users prior to accessing any data and systems;

 

   

encryption of all data at rest and in transit for all devices and cloud services;

 

   

firewalls, antivirus software, security traffic inspections, and other endpoint protection and monitoring tools and techniques;

 

   

automatic updates and patches of all software and systems regularly and fix of all known or reported bugs or vulnerabilities promptly;

 

   

data loss prevention through regular backup of all data and systems and storage of backups in secure and separate locations;

 

   

cybersecurity awareness training for all users to educate them on our policy and procedures as well as best practices, potential vulnerabilities, and common threats and promote a culture of cybersecurity risk management;

 

   

cybersecurity incident response plans that include procedures for analyzing, reporting, and responding to cybersecurity incidents; and

 

   

third-party risk management procedures for service providers, suppliers, and vendors.

We maintain a security team to continuously monitor our data and technology infrastructure, report and respond to cybersecurity incidents, work with users, and report to management and the audit committee. We also maintain a cybersecurity risk insurance policy.

We have not encountered any cybersecurity incidents that have materially affected our business, results of operations, or financial condition.

Governance

Our board of directors considers cybersecurity risk as part of its overall risk oversight function and has delegated that oversight role to the audit committee. The audit committee oversees the implementation of our cybersecurity risk management under the cybersecurity policy.

The audit committee receives regular reports from management on our cybersecurity risks, controls, tools, and incidents. The audit committee reports to the full board of directors regarding its activities, including those related to cybersecurity.

Our Senior Director, IT, Document & Training Compliance, has primary responsibility for developing and implementing our cybersecurity policy and procedures and assessing, monitoring, and managing the prevention, detection, mitigation, and remediation of our cybersecurity risks and incidents. He has served in various roles in information technology and information security for over 20 years, and the IT team holds multiple industry-recognized certifications.

 

67


© 2024 Material-Incidents. All rights reserved.