Dyne Therapeutics, Inc. 10-K Cybersecurity GRC - 2024-03-05

Page last updated on April 11, 2024

Dyne Therapeutics, Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-03-05 07:35:27 EST.

Filings

10-K filed on 2024-03-05

Dyne Therapeutics, Inc. filed an 10-K at 2024-03-05 07:35:27 EST
Accession Number: 0000950170-24-025402

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity We understand the importance of preventing, identifying, assessing and managing material risks associated with cybersecurity threats. Cybersecurity processes to identify, assess and manage risks from cybersecurity threats have been incorporated as a part of our overall risk assessment process and are designed to help protect our information assets and operations from internal and external cyber threats and protect employee and patient information from unauthorized access or attack, as well as secure our network and systems. We have implemented into our operations these cybersecurity processes, technologies and controls to identify, assess and manage material risks. Specifically, we engage a third-party cybersecurity firm to assist with network and endpoint monitoring, cloud system monitoring and assessment of our incident response procedures. Further, we employ periodic internal and external 114 penetration testing by an independent cybersecurity firm to inform our risk identification and assessment of critical, high, medium and minor material cybersecurity threats. To manage our material risks from cybersecurity threats and to protect against, detect, and prepare to respond to cybersecurity incidents, we undertake the below listed activities: Monitor evolving cybersecurity standards and emerging data protection laws and implement changes to our processes to comply; Conduct annual policy re-certifications for all employees regarding data protection, data breach reporting requirements and data classification; Employ multifactor authentication on internal and external systems; Conduct regular phishing email simulations for all employees; and Carry cybersecurity risk insurance that provides protection against the potential losses arising from a cybersecurity incident. Our incident response plan coordinates the activities that we and our third-party cybersecurity providers take to prepare to respond and recover from cybersecurity incidents, which include processes to triage, assess severity, investigate, escalate, contain, and remediate an incident, as well as to comply with potentially applicable legal obligations and mitigate brand and reputational damage. As part of the above processes, we engage with subject matter expert consultants to review our cybersecurity program to help identify areas for continued focus, improvement, and compliance. Our processes also include assessing cybersecurity threat risks associated with our use of third-party services providers in normal course of business use, including those in our supply chain or who have access to patient and employee data or our systems. Third-party risks are included within our risk management process discussed above. In addition, we assess cybersecurity considerations in the selection and oversight of our third-party services providers, including due diligence on the third parties that have access to our systems and facilities that house systems and data. We do not believe that there are currently any known risks from cybersecurity threats that are reasonably likely to materially affect our business strategy, results of operations or financial condition. However, cybersecurity threats may affect our business. See Our internal information technology systems, or those of our vendors, collaborators or other contractors or consultants, may fail or suffer security breaches, loss or leakage of data and other disruptions or compromise, which could result in a material disruption of our product development programs, compromise sensitive information related to our business or prevent us from accessing critical information, trigger contractual and legal obligations, potentially exposing us to liability, reputational harm or otherwise adversely affecting our business and financial results. in “Item 1A. Risk Factors” of this Annual Report on Form 10-K. The Audit Committee of the Board of Directors is responsible for oversight of our cybersecurity risk assessment, risk management, incident response procedures and cybersecurity risks and provides updates to the Board of Directors regarding such oversight. Periodically during each year, the Audit Committee receives an overview from our Vice President, Head of Technology of our cybersecurity threat risk management and strategy processes, including potential impact on us, the efforts of management to manage the risks that are identified and our incident response preparations. Members of the Board of Directors regularly engage in discussions with management on cybersecurity-related news events and discuss any updates to our cybersecurity risk assessment, risk management and strategy programs. Our cybersecurity risk assessment, management and strategy processes are led by our Vice President, Head of Technology. Our Vice President, Head of Technology has over 20 years of experience in various roles involving managing information security, managing privacy and data protection, developing cybersecurity strategy, and implementing cybersecurity programs. The Vice President, Head of Technology, a Certified Information Security Manager (CISM) with up-to-date credentials, is informed 115 about and monitors the prevention, mitigation, detection and remediation of cybersecurity incidents through management of the cybersecurity risk management and strategy processes described above, including our incident response plan.

Company Information