Immuneering Corp 10-K Cybersecurity GRC - 2024-03-01

Page last updated on April 11, 2024

Immuneering Corp reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-03-01 08:05:34 EST.

Filings

10-K filed on 2024-03-01

Immuneering Corp filed an 10-K at 2024-03-01 08:05:34 EST
Accession Number: 0001790340-24-000024

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. “Cybersecurity” contained in this Annual Report on Form 10-K for additional information. Our operations are vulnerable to interruption by fire, severe weather conditions, power loss, telecommunications failure, terrorist activity, military conflict, future pandemics and other events beyond our control, which could harm our business. Our facilities are located in regions which experience severe weather from time to time. We have not undertaken a systematic analysis of the potential consequences to our business and financial results from a major tornado, flood, fire, earthquake, power loss, terrorist activity, geopolitical conflicts, military conflict, future pandemics, public health crises or other disasters and do not have a recovery plan for such disasters. In addition, we do not carry sufficient insurance to compensate us for actual losses from interruption of our business that may occur, and any losses or damages incurred by us could harm our business. The occurrence of any of these business disruptions could seriously harm our operations and financial condition and increase our costs and expenses. We are an emerging growth company, and we cannot be certain if the reduced reporting requirements applicable to emerging growth companies will make our Class A common stock less attractive to investors. We are an emerging growth company, as defined in the Jumpstart Our Business Startups Act of 2012 (the “JOBS Act”). For as long as we continue to be an emerging growth company, we intend to take advantage of exemptions from various reporting requirements that are applicable to other public companies that are not emerging growth companies, including: being permitted to provide only two years of audited financial statements, in addition to any required unaudited financial statements, with correspondingly reduced Management s Discussion and Analysis of Financial Condition and Results of Operations disclosure in this and other periodic reports; not being required to comply with the auditor attestation requirements of Section 404 of the Sarbanes-Oxley Act of 2002 (the “Sarbanes-Oxley Act”); not being required to comply with any requirement that may be adopted by the Public Company Accounting Oversight Board regarding the communication of critical audit matters in the auditor s report on financial statements; reduced disclosure obligations regarding executive compensation in our periodic reports and proxy statements; and exemptions from the requirements of holding nonbinding advisory stockholder votes on executive compensation and stockholder approval of any golden parachute payments not previously approved. We cannot predict if investors will find our Class A common stock less attractive because we may rely on these exemptions. If some investors find our Class A common stock less attractive as a result, there may be a less active trading market for our Class A common stock and our stock price may be more volatile. We will remain an emerging growth company until the earliest to occur of: (1) the last day of the fiscal year in which we have more than $1.235 billion in annual revenue; (2) the date we qualify as a large accelerated filer, with at least $700 million of equity securities held by non-affiliates; (3) the date on which we have issued more than $1.0 billion in non-convertible debt securities during the prior three-year period; and (4) the last day of the fiscal year ending after the fifth anniversary of our initial public offering. Under the JOBS Act, emerging growth companies can also delay adopting new or revised accounting standards until such time as those standards apply to private companies. We intend to take advantage of the extended transition period for adopting new or revised accounting standards under the JOBS Act as an emerging growth company. As a result of this election, our financial statements may not be comparable to companies that comply with public company effective dates. 102 Table of Contents The requirements of being a public company may strain our resources, result in more litigation and divert management s attention. As a public company, we are subject to the reporting requirements of the Exchange Act, the Sarbanes-Oxley Act, the Dodd-Frank Wall Street Reform and Consumer Protection Act (the “Dodd-Frank Act”), the listing requirements of Nasdaq and other applicable securities laws, rules and regulations. Complying with these laws, rules and regulations has increased and will continue to increase our legal and financial compliance costs, make some activities more difficult, time consuming or costly and increase demand on our systems and resources. The Exchange Act requires, among other things, that we file annual, quarterly and current reports with respect to our business and results of operations. The Sarbanes-Oxley Act requires, among other things, that we maintain effective disclosure controls and procedures and internal control over financial reporting. We are required to disclose changes made in our internal control and procedures on a quarterly basis. In order to maintain and, if required, improve our disclosure controls and procedures and internal control over financial reporting to meet this standard, significant resources and management oversight will be required. As a result, management s attention may be diverted from other business concerns, which could adversely affect our business and results of operations. We may also need to hire additional employees or engage outside consultants to comply with these requirements, which will increase our costs and expenses. In addition, changing laws, rules, regulations and standards relating to corporate governance and public disclosure are creating uncertainty for public companies, increasing legal and financial compliance costs and making some activities more time consuming. These laws, rules, regulations and standards are subject to varying interpretations, in many cases due to their lack of specificity and, as a result, their application in practice may evolve over time as new guidance is provided by regulatory and governing bodies. This could result in continuing uncertainty regarding compliance matters and higher costs necessitated by ongoing revisions to disclosure and governance practices. We intend to invest resources to comply with evolving laws, rules, regulations and standards, and this investment may result in increased general and administrative expenses and a diversion of management s time and attention from revenue-generating activities to compliance activities. If our efforts to comply with new laws, rules, regulations and standards differ from the activities intended by regulatory or governing bodies due to ambiguities related to their application and practice, regulatory or other governmental authorities may initiate legal proceedings against us and our business may be adversely affected. These new rules and regulations may make it more expensive for us to obtain director and officer liability insurance and, in the future, we may be required to accept reduced coverage or incur substantially higher costs to obtain coverage. These factors could also make it more difficult for us to attract and retain qualified members of our Board, particularly to serve on our audit committee and compensation committee, and qualified executive officers. By disclosing information in this filing and in future filings required of a public company, our business and financial condition will become more visible, which we believe may result in threatened or actual litigation, including by competitors and other third parties. If those claims are successful, our business could be seriously harmed. Even if the claims do not result in litigation or are resolved in our favor, the time and resources needed to resolve them could divert our management s resources and seriously harm our business. If we fail to maintain an effective system of internal control over financial reporting, we may not be able to accurately report our financial results or prevent fraud. As a result, stockholders could lose confidence in our financial and other public reporting, which would harm our business and the trading price of our Class A common stock. Effective internal controls over financial reporting are necessary for us to provide reliable financial reports and, together with adequate disclosure controls and procedures, are designed to prevent fraud. Any failure to implement required new or improved controls, or difficulties encountered in their implementation could cause us to fail to meet our reporting obligations. In addition, any testing by us conducted in connection with Section 404, or any subsequent testing by our independent registered public accounting firm, may reveal deficiencies in our internal controls over financial reporting that are deemed to be material weaknesses or that may require prospective or retroactive changes to our financial statements or identify other areas for further attention or improvement. Inferior internal controls could also cause investors to lose confidence in our reported financial information, which could have a negative effect on the trading price of our stock. We will be required to disclose changes made in our internal controls and procedures on a quarterly basis and our management will be required to assess the effectiveness of these controls annually. However, for as long as we are an emerging growth company or a non-accelerated filer (as defined under applicable SEC rules), our independent registered public accounting firm will not be required to attest to the effectiveness of our internal controls over financial reporting pursuant to Section 404. An independent assessment of the effectiveness of our internal controls over financial reporting could detect problems that our management s assessment might not. Undetected material weaknesses in our internal 103 Table of Contents controls over financial reporting could lead to restatements of our financial statements and require us to incur the expense of remediation. We may be subject to securities litigation, which is expensive and could divert management attention. The market price of our Class A common stock may be volatile and, in the past, companies that have experienced volatility in the market price of their stock have been subject to securities class action litigation. We may be the target of this type of litigation in the future. Securities litigation against us could result in substantial costs and divert our management s attention from other business concerns, which could seriously harm our business. New tax legislation may impact our results of operations and financial condition. The U.S. government may enact significant changes to the taxation of business entities including, among others, an increase in the corporate income tax rate, an increase in the tax rate applicable to the global intangible low-taxed income and elimination of certain exemptions, and the imposition of minimum taxes or surtaxes on certain types of income. For example, the recently enacted Inflation Reduction Act, among other changes, introduced a 15% corporate minimum tax on certain United States corporations and a 1% excise tax on certain stock redemptions by United States corporations. The likelihood of these or other further changes being enacted or implemented is unclear. We are currently unable to predict whether such changes will occur. If such changes are enacted or implemented as well as the scope of any such changes, we are currently unable to predict the ultimate impact on our business. Item 1B. Unresolved Staff Comments None. Item 1C. Cybersecurity Cybersecurity Risk Management and Strategy We have developed and implemented a cybersecurity risk management program intended to protect the confidentiality, integrity, and availability of our critical systems and information. Our cybersecurity risk management program includes a cybersecurity incident response plan. There can be no assurance that our cybersecurity risk management program and processes, including our policies, controls or procedures, will be fully implemented, complied with or effective in protecting our systems and information. We design and assess our cybersecurity risk management program based in part on the National Institute of Standards and Technology Cybersecurity Framework (“NIST CSF”). This does not, nor is it in any way intended to, imply that we currently or may in the future meet any particular technical standards, specifications, or requirements, only that we use the NIST CSF as a guide to help us identify, assess, and manage cybersecurity risks relevant to our business. Our cybersecurity risk management program is integrated into our overall enterprise risk management program, and shares common methodologies, reporting channels and governance processes that apply across the enterprise risk management program to other legal, compliance, strategic, operational, and/or financial risk areas. Our cybersecurity risk management program includes: risk assessments designed to help identify material cybersecurity risks to our critical systems, information, potential products, services, and our broader enterprise IT environment; a cyber security team principally responsible for managing (1) our cybersecurity risk assessment processes, (2) our security controls, and (3) our response to cybersecurity incidents; the use of external service providers, as we believe appropriate, to assess, test or otherwise assist with aspects of our security controls; cybersecurity awareness training of our employees, incident response personnel, and senior management; a cybersecurity incident response plan that includes procedures for responding to cybersecurity incidents; and risk management processes with respect to third party service providers, suppliers, and vendors. 104 Table of Contents We have not identified risks from known cybersecurity threats, including as a result of any prior cybersecurity incidents, that have materially affected or are reasonably likely to materially affect us, including our operations, business strategy, results of operations, or financial condition. Cybersecurity Governance Our Board of Directors considers cybersecurity risk as part of its risk oversight function and has delegated to the Audit Committee oversight of cybersecurity and other information technology risks. The Audit Committee oversees management s implementation of our cybersecurity risk management program. The Audit Committee receives periodic reports from management on our cybersecurity risks. In addition, management is tasked with updating the Audit Committee, if and as necessary, regarding any material cybersecurity incidents, as well as other incidents with lesser impact potential. The Audit Committee periodically reports to the full Board of Directors regarding its activities, which may include those related to cybersecurity. The full Board of Directors may also from time to time receive briefings from management related to our cyber risk management program. Directors may receive presentations on cybersecurity topics from our management, internal cyber security / information technology staff, or external experts as part of continuing education on topics that impact public companies. Our management team, including our Executive Director of IT with supervision by our Chief Legal Officer, is responsible for assessing and managing our material risks from cybersecurity threats. The management team has primary responsibility for our overall cybersecurity risk management program and supervises both our internal cybersecurity personnel and external cybersecurity consultants. Our Executive Director of IT has previous experience managing information technology infrastructure and cybersecurity, as well as responding to cybersecurity incidents, at other biopharmaceutical companies. Our management team supervises efforts to prevent, detect, mitigate, and remediate cybersecurity risks and incidents through various means, which may include briefings from internal security personnel; threat intelligence and other information obtained from governmental, public or private sources, including external consultants engaged by us; and alerts and reports produced by security tools deployed in the information technology environment.
Item 1C. Cybersecurity Cybersecurity Risk Management and Strategy We have developed and implemented a cybersecurity risk management program intended to protect the confidentiality, integrity, and availability of our critical systems and information. Our cybersecurity risk management program includes a cybersecurity incident response plan. There can be no assurance that our cybersecurity risk management program and processes, including our policies, controls or procedures, will be fully implemented, complied with or effective in protecting our systems and information. We design and assess our cybersecurity risk management program based in part on the National Institute of Standards and Technology Cybersecurity Framework (“NIST CSF”). This does not, nor is it in any way intended to, imply that we currently or may in the future meet any particular technical standards, specifications, or requirements, only that we use the NIST CSF as a guide to help us identify, assess, and manage cybersecurity risks relevant to our business. Our cybersecurity risk management program is integrated into our overall enterprise risk management program, and shares common methodologies, reporting channels and governance processes that apply across the enterprise risk management program to other legal, compliance, strategic, operational, and/or financial risk areas. Our cybersecurity risk management program includes: risk assessments designed to help identify material cybersecurity risks to our critical systems, information, potential products, services, and our broader enterprise IT environment; a cyber security team principally responsible for managing (1) our cybersecurity risk assessment processes, (2) our security controls, and (3) our response to cybersecurity incidents; the use of external service providers, as we believe appropriate, to assess, test or otherwise assist with aspects of our security controls; cybersecurity awareness training of our employees, incident response personnel, and senior management; a cybersecurity incident response plan that includes procedures for responding to cybersecurity incidents; and risk management processes with respect to third party service providers, suppliers, and vendors. 104 Table of Contents We have not identified risks from known cybersecurity threats, including as a result of any prior cybersecurity incidents, that have materially affected or are reasonably likely to materially affect us, including our operations, business strategy, results of operations, or financial condition. Cybersecurity Governance Our Board of Directors considers cybersecurity risk as part of its risk oversight function and has delegated to the Audit Committee oversight of cybersecurity and other information technology risks. The Audit Committee oversees management s implementation of our cybersecurity risk management program. The Audit Committee receives periodic reports from management on our cybersecurity risks. In addition, management is tasked with updating the Audit Committee, if and as necessary, regarding any material cybersecurity incidents, as well as other incidents with lesser impact potential. The Audit Committee periodically reports to the full Board of Directors regarding its activities, which may include those related to cybersecurity. The full Board of Directors may also from time to time receive briefings from management related to our cyber risk management program. Directors may receive presentations on cybersecurity topics from our management, internal cyber security / information technology staff, or external experts as part of continuing education on topics that impact public companies. Our management team, including our Executive Director of IT with supervision by our Chief Legal Officer, is responsible for assessing and managing our material risks from cybersecurity threats. The management team has primary responsibility for our overall cybersecurity risk management program and supervises both our internal cybersecurity personnel and external cybersecurity consultants. Our Executive Director of IT has previous experience managing information technology infrastructure and cybersecurity, as well as responding to cybersecurity incidents, at other biopharmaceutical companies. Our management team supervises efforts to prevent, detect, mitigate, and remediate cybersecurity risks and incidents through various means, which may include briefings from internal security personnel; threat intelligence and other information obtained from governmental, public or private sources, including external consultants engaged by us; and alerts and reports produced by security tools deployed in the information technology environment.

Company Information