COMPASS Pathways plc 10-K Cybersecurity GRC - 2024-02-29

Page last updated on April 11, 2024

COMPASS Pathways plc reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-02-29 06:59:52 EST.

Filings

10-K filed on 2024-02-29

COMPASS Pathways plc filed an 10-K at 2024-02-29 06:59:52 EST
Accession Number: 0001628280-24-007787

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBERSECURITY We are a clinical-stage biotechnology company and continue to mature as a public company since our initial public offering in 2020. We have developed cybersecurity policies, procedures and practices and an enterprise risk management program designed to align to the nature, size and scale of our business operations and cybersecurity threat profile. Cybersecurity Governance Our board of directors has delegated oversight responsibility for risk management, including cybersecurity risks, to our audit and risk committee, and such responsibilities are set forth in the audit and risk committee s charter. At routine board meetings, the chair of the audit and risk committee regularly provides a report to the full board on the committee s oversight activities. We have developed an enterprise risk management program designed to monitor and assess risks arising from our business operations and make informed decisions about how to manage risk. The enterprise risk management program is overseen by our audit and risk committee and is implemented under the leadership of our vice-president of risk and compliance, who reports to our general counsel and has a direct line of communication to the chair of our audit and risk committee. As part of our enterprise risk management program, we identify and review risks related to cybersecurity on a regular basis, including risks related to third-party access to our information technology systems, and we prioritize risk categories to inform enterprise risk assessment reporting. We conduct periodic enterprise risk assessments and report the results to the executive team and the audit and risk committee. Our chief technology officer, with 13 years of experience in information technology, artificial intelligence and software engineering, is responsible for managing and assessing risks related to cybersecurity and data governance. Our chief technology officer supervises our vice-president of information technology, who has primary operational responsibility for managing the overall cybersecurity posture and strategy, managing internal and external cybersecurity resources and organizing and leading efforts to prevent, detect and respond to cybersecurity incidents and threats. Prior to joining the company, our chief technology officer has previously served in various data and technology leadership roles, including most recently as chief data officer at another biotechnology company. Our vice-president of information technology has 25 years of experience in information technology and most recently served as senior director of information technology operations and infrastructure at another biotechnology company. As part of our quarterly disclosure committee process, our chief technology officer discusses with our chief executive officer, interim chief financial officer and other executive team members any significant cybersecurity issues, including any potential risks related to cybersecurity incidents. Cybersecurity Risk Management Strategy We have developed and implemented policies, procedures and practices designed to protect the information and systems that support our operations and assets. In developing our policies and procedures, we were informed by certain industry standards and guidelines. We routinely train our employees on cybersecurity awareness and our information security and data protection policies. We have policies and procedures designed to prevent, detect and respond to cybersecurity incidents or threats. We use industry standard security and monitoring systems that are managed by our internal information technology team with support from third-party IT services firms. We also periodically conduct internal and external security testing, such as phishing testing and penetration testing. The results of our security testing are reported to our chief technology officer and when relevant with the wider executive team. When engaging third-parties, we have procedures and protocols designed to protect our information technology systems and our confidential information. For example, before we grant third-parities access to our information technology systems, we require agreements with such third-parties, we require such third parties to complete cybersecurity training and we typically require specific contract terms in our agreements with such third-parties. 149 Table of Contents To date, we have not identified any risks from cybersecurity threats, including those resulting from any previous cybersecurity incidents experienced by us or, to our knowledge, by any of our third-party service providers, that have materially affected, or are reasonably likely to materially affect, our business strategy, results of operations, or financial condition. Refer to the risk factor captioned Our business and operations would suffer in the event of computer system failures, cyber-attacks or deficiencies in our cyber security or cyber security of our collaborators, vendors and other partners. in Part I, Item 1A. “Risk Factors” for additional description of cybersecurity risks.

Company Information