Virios Therapeutics, Inc. 10-K Cybersecurity GRC - 2024-03-01

Page last updated on April 11, 2024

Virios Therapeutics, Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-03-01 09:10:56 EST.

Filings

10-K filed on 2024-03-01

Virios Therapeutics, Inc. filed an 10-K at 2024-03-01 09:10:56 EST
Accession Number: 0001558370-24-002239

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity Our use of information systems for using, transmitting and storing data is a vital aspect of our business operations. Information systems can be vulnerable to a range of cybersecurity threats that could potentially have a material impact on our business strategy, results of operations and financial condition. Cybersecurity Risk Management and Strategy . The Company actively maintains a cyber-risk management program. Cybersecurity is a key category within our risk management program, and our cybersecurity risk management is intended to assist in assessing, identifying, and managing material risks from cybersecurity threats to the Company s information systems. This integration of cybersecurity into the Company s overall enterprise risk management program is to ensure that cybersecurity considerations are included in decision-making processes throughout the Company. Our cybersecurity program is designed to safeguard against evolving and increasingly sophisticated cybersecurity threats by helping to prevent, detect, mitigate and respond to cyber-attacks. Our approach consists of, among other things, cybersecurity threat and vulnerability prevention, detection, mitigation and remediation of potential cybersecurity risks. We employ cybersecurity intrusion detection systems and continuous monitoring, in order to help defend against unauthorized access. Identity-based access management also serves an integral role of our cybersecurity strategy and involves access controls and identity authentication requirements. Access to the Company s data is monitored and controlled according to access control policies. Data protection and privacy practices, including data loss prevention, help to safeguard sensitive information. The Audit Committee of our Board of Directors is responsible for oversight of the Company s cyber-risk management program and management s role is to assist the Audit Committee in identifying and considering material cybersecurity risks, ensure implementation of management and employee level cybersecurity practices and training and provide the Audit Committee with regular reports regarding any cybersecurity attacks or vulnerabilities. As of the date of this Annual Report on Form 10-K, the Company has not experienced any cybersecurity attacks. The Company also requires our employees to participate in cybersecurity training and awareness programs. In particular, we have determined that the most significant cybersecurity risk to our organization is social engineering schemes such as phishing schemes. All employees receive training twice a year in identifying and stopping social engineering cyber-attacks. The Company s employees are expected to help safeguard the Company s information systems and to assist in the discovery and reporting of cybersecurity incidents. These programs are intended to decrease cybersecurity risks associated with human error and foster a culture of cybersecurity consciousness. Our cybersecurity program is periodically evaluated against established quantifiable goals and other external benchmarks. This evaluation is carried out through periodic internal and external risk assessments and compliance audits. The third parties that the Company engages in order to conduct these evaluations, 69 assessments and audits, including our third-party internal audit vendor, Crowe LLP, also advise us on the effectiveness of our cybersecurity processes and assist the Company in remediating any identified vulnerabilities and implementing any recommended measures to improve our cybersecurity defenses. In addition to monitoring cybersecurity threats to the Company s information systems, the Company s vendor risk management practices are intended to help monitor, mitigate and prevent cybersecurity risks from external sources. We operate as a virtual company and maintain vital information, including financial and payroll information, on servers owned and maintained by our vendors. As such, we rely on the internal controls of our third party vendors to protect our vital information. We obtain and review reports on the internal controls of our vendors on an annual basis to ensure that we believe their cybersecurity procedures are adequate and to confirm that there have been no data breaches affecting our information. For certain third-party providers we deem critical to our operations, we also obtain and review System and Organization Controls reports at the beginning of an engagement, as well as on an ongoing basis, in order to assess their cybersecurity preparedness. To date, the risks from cybersecurity threats, including as a result of any previous immaterial cybersecurity incidents, have not materially affected, or are reasonably likely to materially affect, our business strategy, results of operations, or financial condition. While the Company maintains cybersecurity insurance, the costs related to cybersecurity threats or disruptions may not be fully insured. For more information regarding the risks the Company faces from cybersecurity threats, see Risk Factors Risks Related to Our Intellectual Property Our proprietary information may be lost, or we may suffer security breaches.

Company Information