Sana Biotechnology, Inc. 10-K Cybersecurity GRC - 2024-02-29

Page last updated on April 11, 2024

Sana Biotechnology, Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-02-29 16:20:33 EST.

Filings

10-K filed on 2024-02-29

Sana Biotechnology, Inc. filed an 10-K at 2024-02-29 16:20:33 EST
Accession Number: 0000950170-24-023119

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity. Risk Management and Strategy We have established policies and processes for assessing, identifying, and managing material risk from cybersecurity threats, and have integrated these processes into our overall risk management systems and processes. We routinely assess material risks from cybersecurity threats, including any potential unauthorized occurrence on or conducted through our information systems that may result in adverse effects on the confidentiality, integrity, or availability of our information systems or any information residing therein. We conduct periodic risk assessments to identify cybersecurity threats. These risk assessments include identification of reasonably foreseeable internal and external risks, the likelihood and potential damage that could result from such risks, and the sufficiency of existing policies, procedures, systems, and safeguards in place to manage such risks. Following these risk assessments, we evaluate whether and how to re-design, implement, and maintain reasonable safeguards to minimize identified risks; reasonably address any identified gaps in existing safeguards; and regularly monitor the effectiveness of our safeguards. We devote significant resources and designate personnel, including our Head of Information Security, who reports to our Vice President, Information Technology, to manage the risk assessment and mitigation process. As part of our overall risk management system, we monitor and test our safeguards and train relevant personnel on these safeguards. These efforts are led by our Information Security group. All personnel are expected to engage in security awareness training. We engage third parties to perform security assessments to test our safeguards and, when appropriate, implement modifications to or add new safeguards based on the results of such assessments. We generally require each of our relevant third-party service providers to implement and maintain appropriate security measures and to promptly notify us of any suspected breach of security that may affect our company. For additional information regarding whether any risks from cybersecurity threats, including as a result of any previous cybersecurity incidents, have materially affected or are reasonably likely to materially affect our company, including our business strategy, results of operations, or financial condition, please refer to Item 1A, Risk Factors, in this Annual Report. Governance One of the key functions of our board of directors is informed oversight of our risk management process, including risks from cybersecurity threats. Our board of directors is responsible for monitoring and assessing strategic risk exposure, and our executive officers and other members of senior management are responsible for the day-to-day management of the material risks we face. Our board of directors administers its cybersecurity risk oversight function directly as well as through our audit committee. Our Head of Information Security is primarily responsible for assessing and managing our material risks from cybersecurity threats. He has worked in various roles pertaining to cybersecurity for more than fifteen years and possesses a Certified Information Systems Security Professional (CISSP) certification. Our Head of Information Security oversees our cybersecurity policies and processes, including those described above under Risk Management and Strategy. The processes by which he is informed about and monitors the prevention, detection, mitigation, and remediation of cybersecurity incidents include the following: vulnerability management, third party risk management, data security management, security awareness training, systems management, operations security, security incident and event management, and incident response management. We utilize third parties for managed detection and active response to cybersecurity incidents. Our Head of Information Security provides quarterly briefings to our audit committee regarding our cybersecurity risks and activities, such as any recent cybersecurity incidents and related responses (including those of third parties), if any, and cybersecurity systems testing. Our audit committee provides periodic updates to the board of directors that include any material information included in such briefings. In addition, our Head of Information Security provides annual briefings to our board of directors on cybersecurity risks and activities. 144

Company Information