COLLEGIUM PHARMACEUTICAL, INC 10-K Cybersecurity GRC - 2024-02-22

Page last updated on April 11, 2024

COLLEGIUM PHARMACEUTICAL, INC reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-02-22 16:03:38 EST.

Filings

10-K filed on 2024-02-22

COLLEGIUM PHARMACEUTICAL, INC filed an 10-K at 2024-02-22 16:03:38 EST
Accession Number: 0001558370-24-001526

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity Risk Management and Strategy We maintain a cybersecurity program designed to assess, identify, and mitigate risks from cybersecurity threats. This program is informed by the five elements of the National Institute of Standards and Technology framework: identify, protect, detect, respond, and recover. We utilize various methods to achieve these objectives including but not limited to company-wide policies and operating procedures, periodic testing, systems monitoring, patch management, and mandatory ongoing employee trainings. Additionally, we partner with third-party experts to conduct periodic penetration tests and to evaluate our information technology infrastructure for vulnerabilities. We also evaluate cybersecurity risks associated with third-party vendors that provide the hosted applications we use in our financial close process through review of their System and Organization Controls ( SOC ) 1 reports at least annually. We continue to invest in our information technology infrastructure and cybersecurity program to strengthen our ability to protect the confidentiality, integrity, and availability of our data and the security of our information systems. In addition to our cybersecurity program, we assess cybersecurity risks as part of our overall risk management processes, primarily through our annual Enterprise Risk Assessment. Our Enterprise Risk Assessment surveys various employees and leaders throughout our organization with the goal of evaluating our risk landscape, enhancing our overall understanding of risks to our business, and ultimately managing and/or mitigating identified risks. We assess various risks, including cybersecurity related risks, based on the likelihood of an incident occurring, impact to our organization if an incident occurred, and the level of internal control we currently have over the risk. The results are analyzed to identify vulnerabilities and then risk management/mitigation plans are designed, implemented, and evaluated for effectiveness. If a cybersecurity incident were to occur, we would implement our incident response plan in an effort to contain and mitigate the threat. As part of our incident response plan, our Cybersecurity Incident Response Team (a cross-functional taskforce comprised of senior representatives), would convene to assess the potential impact to our business, including financial reporting requirements and legal implications. 40 We, like other companies in our industry, face a number of cybersecurity risks in connection with our business. Although such risks have not materially affected us, including our business strategy, results of operations or financial condition, to date, we and/or our vendors have, from time to time, experienced threats to, or security incidents, related to our data and systems or that had the potential to otherwise impact our business. For more information about the cybersecurity risks we face, refer to Item 1A. Risk Factors. Governance One of the key functions of our Board is informed oversight of our risk management process. Our Board administers this oversight function directly through our Board as a whole, as well as through various standing committees of our Board that address risks inherent in their respective areas of oversight. Our Audit Committee, a subcommittee of our Board, is responsible for the oversight of risks from cybersecurity threats. The Audit Committee receives updates at least quarterly from our Head of Information Technology regarding developments in our information technology infrastructure and cybersecurity program. This includes updates, as appropriate, on key information technology initiatives, new and existing cybersecurity risks, how management is managing those risks, and, if any, material cybersecurity incidents and the impact to our business and performance. At the management level, our Head of Information Technology is responsible for assessing and managing risks from cybersecurity threats through oversight of our information technology infrastructure and cybersecurity program. The individual occupying this role has over 20 years of experience in information technology and cybersecurity and has served in senior cybersecurity leadership positions for over 10 years. Thus, we believe our Head of Information Technology is well-qualified to serve in this role. Our Head of Information Technology conducts bi-weekly meetings with our information technology department to remain apprised of cybersecurity matters. If a cybersecurity incident were to occur, our Head of Information Technology may inform our Executive Vice President and Head of Technological Operations and/or Audit Committee, depending on the severity of the incident in accordance with the established severity and response matrix as defined in our incident response plan.

Company Information