C4 Therapeutics, Inc. 10-K Cybersecurity GRC - 2024-02-22

Page last updated on April 11, 2024

C4 Therapeutics, Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-02-22 07:20:01 EST.

Filings

10-K filed on 2024-02-22

C4 Therapeutics, Inc. filed an 10-K at 2024-02-22 07:20:01 EST
Accession Number: 0001628280-24-006144

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity. Cyber Risk Management and Strategy We have implemented and maintain an ongoing cybersecurity risk management program, under the oversight of the audit committee of the board of directors, that is focused on identifying, assessing and mitigating cyber risk. We engage with multiple third-party vendors who provide a variety of services ranging from ongoing security advisory services to security monitoring and response management. In addition, we also have a process to assess and review the cybersecurity practices of third-party vendors and service providers, including through the use of vendor questionnaires and contractual security requirements, as appropriate. In addition to these efforts, we have implemented an ongoing enterprise risk management program that includes processes designed to identify, assess, and address cybersecurity risks. Our cybersecurity efforts are informed by industry standards and include periodic, targeted risk assessments supported by cybersecurity technologies, including third-party security solutions and monitoring tools, designed to monitor, identify, and address cybersecurity risks. Additionally, as a public company, we are subject to various regulatory requirements around our internal controls, including our controls around our information technology systems and their impact on our financial statements or systems. We have engaged a third party vendor to advise us on our compliance with these requirements, including around our controls related to cybersecurity, and strategies to mitigate related risk. If we were to identify any control deficiencies that represent cybersecurity risks, those would be reported to the Chief Financial Officer and the audit committee, together with plans for corrective action, as appropriate. Governance Related to Cybersecurity Risks 78 Table of Contents Our cyber risk management program and related operations and processes are managed by our Director of Information Technology, in consultation with the legal and human resources teams. Currently, the Director of Information Technology role is held by an individual who has over 17 years of cybersecurity, information technology, and systems engineering experience. The Director of Information Technology reports to the Chief People Officer. The Director of Information Technology meets with the Chief People Officer periodically to monitor and review the outcomes of our cybersecurity risk management processes and to discuss and address matters related to cybersecurity risk management strategy. The Director of Information Technology, working with the Chief Legal Officer and Chief People Officer, provides periodic reports to the audit committee, which is responsible for reviewing and overseeing the Company s risk management processes, including cybersecurity risks. The Chief Financial Officer, Chief People Officer and Chief Legal Officer and/or other senior members of the legal team, participate in audit committee meetings, which are generally led by the Chief Financial Officer, as well as meetings of the full board of directors. Our enterprise risk management process is overseen by our Chief Legal Officer and Chief Financial Officer. In collecting information on enterprise risk, cyber security is specifically included as a risk category, and the results of our enterprise risk assessment processes, including risks related to cybersecurity, are also discussed with the audit committee and among senior management on a periodic basis.

Company Information