OCULAR THERAPEUTIX, INC 10-K Cybersecurity GRC - 2024-03-11

Page last updated on April 11, 2024

OCULAR THERAPEUTIX, INC reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-03-11 16:12:44 EDT.

Filings

10-K filed on 2024-03-11

OCULAR THERAPEUTIX, INC filed an 10-K at 2024-03-11 16:12:44 EDT
Accession Number: 0001558370-24-002902

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity We have certain processes for assessing, identifying and managing cybersecurity risks, which are built into our overall risk management program and are designed to help protect our information assets and operations from internal and external cyber threats and to protect the information of employees, customers, vendors, and other individuals, such as subjects enrolled in our clinical trials, from unauthorized access or attack, as well as secure our networks and systems. We have designed our processes based on, and periodically assess our processes against, the National Institute of Standards and Technology Cybersecurity Framework Special Publication 800-53, 800-61, rev 2, or the NIST Framework. This does not imply that we meet any particular technical standards, specifications, or requirements of the NIST Framework, only that we use these standards as a guide to help us identify, assess, and manage cybersecurity risks relevant to our business. Our processes for assessing, identifying and managing cybersecurity risks include physical, procedural and technical safeguards, a cybersecurity incident response plan, regular tests on our systems, incident simulations and routine review of our policies and procedures to identify risks and improve our practices. We engage certain external parties, including computer security firms, to assist us with the identification, verification, and validation of cybersecurity risks, and to support mitigation efforts if necessary. We consider the internal risk oversight programs of third-party service providers before engaging them in order to help protect us from any related vulnerabilities. We do not believe that there are currently any known risks from cybersecurity threats that are reasonably likely to materially affect us or our business strategy, results of operations or financial condition. The Audit Committee of our board of directors provides direct oversight over cybersecurity risk and provides updates to the board of directors regarding such oversight as deemed necessary. The Audit Committee receives periodic updates from management regarding cybersecurity matters and is notified between such updates regarding significant new cybersecurity threats or incidents. Our management team is responsible for day-to-day assessment and management of cybersecurity risks. On our management team, our Chief Financial Officer, or CFO, leads the operational oversight of company-wide cybersecurity 103 Table of Contents strategy, policy, standards and processes and works across relevant departments to assess and help prepare us and our employees, customers, vendors and other individuals to address cybersecurity risks. Our CFO has approximately 10 years of experience managing information technology teams of operating companies in the biotechnology industry. Our CFO leads a cross-functional Cybersecurity Committee, consisting of executive-level leaders and other management-level individuals with the requisite skills and education, that assists the CFO with carrying out these duties. Collectively, the members of our Cybersecurity Committee have notable experience in managing information security, possess the education and skills to fulfill these duties, and attend periodic trainings as necessary. In an effort to deter and detect cyber threats, we provide all employees, including part-time and temporary employees, with periodic training, including training related to data protection, cybersecurity and incident response, and prevention and compliance, which covers timely and relevant topics, including social engineering, phishing, password protection, confidential data protection, asset use and mobile security, and educates employees on the importance of reporting all incidents immediately. We also use technology-based tools to mitigate cybersecurity risks and to bolster our employee-based cybersecurity programs.

Company Information