Nuvalent, Inc. 10-K Cybersecurity GRC - 2024-02-27

Page last updated on April 11, 2024

Nuvalent, Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-02-27 06:42:43 EST.

Filings

10-K filed on 2024-02-27

Nuvalent, Inc. filed an 10-K at 2024-02-27 06:42:43 EST
Accession Number: 0000950170-24-020607

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBERSECURITY Cybersecurity Risk Management and Strategy We have developed and implemented a cybersecurity risk management program intended to protect the confidentiality, integrity, and availability of our critical systems and information. Our cybersecurity risk management program includes a cybersecurity incident response plan. Our cybersecurity risk management program is a key component of our overall risk management process, and includes similar characteristics, reporting channels and governance processes to those that apply across other legal, compliance, strategic, operational, and financial risk areas within the Company. We design and assess our program based on the National Institute of Standards and Technology Cybersecurity Framework (NIST CSF). This does not imply that we meet any particular technical standards, specifications, or requirements, only that we use the NIST CSF as a guide to help us identify, assess, and manage cybersecurity risks relevant to our business. Our cybersecurity risk management program includes: risk assessments designed to help identify material cybersecurity risks to our critical systems, information, products, services, and our broader enterprise IT environment; a security team principally responsible for managing (1) our cybersecurity risk assessment processes, (2) our security controls, and (3) our response to cybersecurity incidents; the use of external service providers, where appropriate, to assess, test or otherwise assist with aspects of our security controls; cybersecurity awareness training of our employees, incident response personnel, and senior management; a cybersecurity incident response plan that includes procedures for responding to cybersecurity incidents; and a third-party risk management process for service providers, suppliers, and vendors. We have not identified risks from known cybersecurity threats, including as a result of any prior cybersecurity incidents, that have materially affected or are reasonably likely to materially affect us, including our operations, business strategy, results of operations, or financial condition. Cybersecurity Governance Our board of directors considers cybersecurity risk as part of its risk oversight function and has delegated to its audit committee oversight of cybersecurity and other information technology risks. The audit committee oversees management s implementation of our cybersecurity risk management program. 93 The audit committee receives reports from management on our cybersecurity risks at least annually. In addition, management updates the audit committee regarding all material cybersecurity incidents, as well as any incidents with lesser impact potential that management, in its discretion, determines may be relevant for audit committee review. The audit committee reports to the full board regarding its activities, including those related to cybersecurity. Our management team, including specifically our Chief Financial Officer, working closely with our Vice President of Information Technology and our Director of Cybersecurity (our Cybersecurity Oversight Team), is responsible for assessing and managing our material risks from cybersecurity threats. The team has primary responsibility for our overall cybersecurity risk management program and supervises both our internal cybersecurity personnel and our retained external cybersecurity consultants. Our Cybersecurity Oversight Team s experience includes a combined 50+ years in the pharmaceutical industry and information technology. This includes software and systems development, cybersecurity program oversight, and overall IT management. The team has over two decades of experience dedicated to supporting enterprise architecture and more than eight years of experience specializing in cybersecurity, implementing cybersecurity frameworks, assessing and managing cybersecurity risks, and executing incident response plans. Our Cybersecurity Oversight Team supervises efforts to prevent, detect, mitigate, and remediate cybersecurity risks and incidents through various means, which include briefings from internal security personnel; threat intelligence and other information obtained from governmental, public or private sources, including external consultants engaged by us; and alerts and reports produced by security tools deployed in the IT environment. Pursuant to our Incident Response Plan (IRP), all of our employees are trained to report a suspected cybersecurity incident or breach to our information technology team. Reporting guidelines under the IRP describe how to report an incident and what details to include. As a first step under the IRP, our information technology team assesses the reported risk or breach and escalates it to our Incident Response Team (IRT), as appropriate. The IRT is comprised of the members of our Cybersecurity Oversight Team and other critical business function leaders, including members of our legal and communications teams. Following notification from our information technology team, the IRT is responsible for continuing to assess the suspected risk or breach to determine its potential impact on our organization, systems and data. Based on that assessment, the IRT may raise the incident or breach to other members of management or the audit committee for further review and triage.

Company Information