Caribou Biosciences, Inc. 10-K Cybersecurity GRC - 2024-03-11

Page last updated on April 11, 2024

Caribou Biosciences, Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-03-11 16:25:52 EDT.

Filings

10-K filed on 2024-03-11

Caribou Biosciences, Inc. filed an 10-K at 2024-03-11 16:25:52 EDT
Accession Number: 0001619856-24-000013

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity. Cybersecurity Risk Management and Strategy We recognize the importance of assessing, identifying, and managing material risks associated with cybersecurity threats, as such term is defined in Item 106(a) of Regulation S-K. These risks include operational risks, intellectual property or trade secret theft, improper disclosure of confidential information, fraud, extortion, harm to employees or third parties with which we do business, and violation of data privacy or security laws. Identifying and assessing cybersecurity risk is integrated into our overall risk management systems and processes. Cybersecurity risks related to our business, technical operations, privacy, and compliance issues are identified and addressed through a multi-faceted approach including third-party assessments, internal information technology ( IT ) audits, and IT security reviews. To defend, detect, and respond to cybersecurity incidents, we perform cybersecurity reviews of systems and applications audits of applicable data policies regular vulnerability assessments and penetration testing using external third-party tools to test security control security incident and event management continuous monitoring, and threat intelligence gathering conduct employee training and implement appropriate changes. We also leverage third-party expertise to audit and test our cybersecurity program. These include periodic reviews of cybersecurity threats and related controls, including reviews of periodic penetration tests conducted by independent third parties. We have implemented processes to manage the cybersecurity risks associated with our use of third-party service providers. This includes proactive monitoring of third party s configurations, risk questionnaires for new technology vendors, and other processes to minimize risks associated with our third-party providers. Security events and data incidents are evaluated, ranked by severity, and prioritized for response and remediation. Incidents are evaluated to determine materiality as well as operational and business impact, and reviewed for privacy impact. Our risk management program also assesses third-party risks, and we perform third-party risk management to identify and mitigate risks from third parties such as vendors and suppliers. Cybersecurity risks are evaluated when determining the selection and oversight of applicable third-party service providers and potential fourth-party risks when handling and/or processing our confidential information and data. In addition to new vendor onboarding, we perform risk management during third-party cybersecurity compromise incidents to identify and mitigate risks to us from third parties. We describe whether and how risks from identified cybersecurity threats, including as a result of any previous cybersecurity incidents, have materially affected or are reasonably likely to materially affect us, including our business strategy, results of operations, or financial condition, see Risk Factors - Our internal computer systems, or those of third parties with which we interact, may fail or suffer security breaches, which could result in a material disruption of the development of our product candidates and research programs, compromise sensitive information related to our business, or prevent us from accessing critical information, potentially exposing us to liability or otherwise adversely affecting our business, in Item 1A of this Annual Report on Form 10-K. Cybersecurity Governance Cybersecurity is an important part of our risk management processes and an area of focus for our board of directors and management. The board s audit committee is responsible for the oversight of risks from cybersecurity threats and receives updates on a quarterly basis from management, including representatives from our IT, finance, and legal departments regarding matters of cybersecurity. These updates include existing and new cybersecurity risks, status on how management is addressing and/or mitigating those risks, cybersecurity and data privacy incidents (if any) and status on key information security initiatives. Our board members also engage in ad hoc conversations with management on cybersecurity-related news events and updates to our cybersecurity risk management and strategy programs. Our day-to-day cybersecurity risk management and strategy processes are overseen by representatives from our IT, finance, and legal departments. Such individuals have an average of over 15 years of prior work experience in various roles involving IT security, auditing, compliance, data protection, privacy, risk management, systems, and programming. These individuals are informed about and monitor the prevention, mitigation, detection, and remediation of cybersecurity incidents through their management of, and participation in, our cybersecurity risk management and strategy processes, and report to the audit committee on any appropriate items. 105 Table of Contents

Company Information