Aldeyra Therapeutics, Inc. 10-K Cybersecurity GRC - 2024-03-07

Page last updated on April 11, 2024

Aldeyra Therapeutics, Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-03-07 16:06:42 EST.

Filings

10-K filed on 2024-03-07

Aldeyra Therapeutics, Inc. filed an 10-K at 2024-03-07 16:06:42 EST
Accession Number: 0000950170-24-027933

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBERSECURITY All companies utilizing technology are subject to threats of breaches of their cybersecurity programs. To mitigate the threat to our business and address regulatory requirements, we take a comprehensive approach to cybersecurity risk management and have developed and implemented a cybersecurity risk management program intended to protect the confidentiality, integrity, and availability of our critical systems and information. We continue to make proactive and strategic investments to augment the capabilities of our people, processes, and technologies in order to address our cybersecurity risks. Our cybersecurity risks, and the controls designed to mitigate those risks, are imbedded into our overall risk management governance and are reviewed at least annually by the Audit Committee of our Board of Directors. Risk Management and Strategy We’ve implemented a set of comprehensive cybersecurity and data protection policies and procedures. Our employees and contractors receive regular cybersecurity awareness trainings, including specific topics related to social engineering and email frauds. We have engaged consultants with significant expertise and certifications in cybersecurity related to our industry. We invest in advanced technologies for continuous cybersecurity monitoring across our information technology environment which are designed to prevent, detect, and minimize cybersecurity attacks, as well as alert management of such attacks. Our information security policy is based on recognized industry standards and cover areas such as risk management, data backup, and data recovery. We engage consultants and IT managed service providers (IT MSP), to help us design and implement our cybersecurity policies and procedures. These service providers assist us with monitoring security threats and vulnerabilities and responding to identified cybersecurity incidents, including prompt escalation and timely communication of major security incidents to senior business leadership and the Audit Committee. We conduct cybersecurity penetration testing as warranted to identify and remediate cybersecurity gaps. Primary responsibility for assessing, monitoring, and managing our cybersecurity risks rests with our current IT consultants and IT MSP, who report to our interim Chief Financial Officer, to manage the risk assessment and mitigation process. Our interim Chief Financial Officer has served in various capacities in enterprise risk management and cybersecurity over five years, including serving as our Data Security Coordinator for the past two years, during which he has overseen our risk management process. We evaluate each third-party service provider to verify that it has the ability to implement and maintain appropriate security measures, consistent with all applicable laws, to implement and maintain reasonable security measures in connection with their work with us, and to promptly report any suspected breach of its security measures that may affect the Company. Governance Our Board of Directors and Audit Committee are responsible for overseeing our cybersecurity risk management and strategy. Our interim Chief Financial Officer periodically meets with our IT consultants and IT MSP about the Company s ongoing compliance and risk management and provides periodic briefings to the Audit Committee regarding our cybersecurity risks and activities, including any recent cybersecurity incidents and related responses, cybersecurity systems testing, activities of third parties, and the like. 85 Cybersecurity Threat Disclosure There can be no guarantee that our policies and procedures will be properly followed in every instance or that those policies and procedures will be effective. Although our Risk Factors in Item 1A include further detail about the material cybersecurity risks we face, to date, we are not aware of any cybersecurity threats that have materially affected our business. We can provide no assurance that there will not be incidents in the future or that they will not materially affect us, including our business strategy, results of operations, or financial condition.

Company Information