Athira Pharma, Inc. 10-K Cybersecurity GRC - 2024-02-22

Page last updated on April 11, 2024

Athira Pharma, Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-02-22 16:15:50 EST.

Filings

10-K filed on 2024-02-22

Athira Pharma, Inc. filed an 10-K at 2024-02-22 16:15:50 EST
Accession Number: 0000950170-24-018787

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity. Cybersecurity Risk Management Strategy We have implemented various processes and policies for identifying, assessing, and managing material risks from cybersecurity threats. Our cybersecurity risk management strategy is designed following the Cybersecurity Framework set by the National Institute of Standard and Technology, or NIST. We assess our information technology, or IT, environment against the NIST Cybersecurity Framework, as well as various cyber-attack vectors, working to identify and remediate risks. We implement reasonable administrative, technical and procedural safeguards to manage cybersecurity risks, for example, by enforcing single sign-on or multi-factor authentication where supported, and the use of mobile device management to secure company resources on employee personal devices. Additionally, we engage third-party cybersecurity experts to assess the security of our network and perform continuous system monitoring, and we engage a third party to perform internal audits of our IT General Controls, or ITGCs. We have implemented certain processes to oversee and identify risks from cybersecurity threats associated with our use of third-party service providers, for example, by evaluating such service providers own cybersecurity processes and reviewing available certification and audit reports, including International Organization for Standardization, or ISO, certifications for information security management systems, and System and Organization Controls, or SOC, reports. At this time, we have not experienced cybersecurity incidents, or are aware of any risks from cybersecurity threats, that have materially affected or are reasonably likely to materially affect us, including our business strategy, results of operations, or financial condition. Cybersecurity Governance Board of Directors Our board of directors is responsible for general oversight and regular review of information regarding our risks, including cybersecurity risks. Members of management communicate an overview of our current cybersecurity environment to our board of directors at least annually and provide updates to our board of directors regarding cybersecurity matters periodically throughout the year. Additionally, our third-party auditors inform the audit committee of our board of directors of our ITGC framework and control testing results, which include controls related to cybersecurity risks. Further, management has established cybersecurity incident response processes for escalating the communication of cybersecurity incidents up to the board of directors, as appropriate. Management Material risks from cybersecurity threats are assessed and managed by a dedicated team comprised of internal and external IT professionals experienced in cybersecurity threat risk management, who ultimately report to our chief operating officer. Our chief operating officer has extensive strategic and operational experience at several life sciences companies, leading a wide range of business functions, including IT. Our technology team leader has over 20 years of experience with IT and cybersecurity risk management, having served in senior executive-level IT positions at multiple Fortune 500 companies and companies within the life sciences industry. The technology team leader oversees our internal team of IT professionals, which continuously monitors our IT environment for cybersecurity threats and incidents. Our IT professionals routinely report on cybersecurity incident prevention, detection, mitigation, and remediation efforts to our technology team leader and chief operating officer. Additionally, we have established policies addressing processes for responding to potential cybersecurity incidents, including assessment, communication, and remediation 114 protocols. Our incident response processes further provide for the escalation of cybersecurity incidents to our executive management team and board of directors, as appropriate.

Company Information