Liquidia Corp 10-K Cybersecurity GRC - 2024-03-13

Page last updated on April 11, 2024

Liquidia Corp reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-03-13 07:30:43 EDT.

Filings

10-K filed on 2024-03-13

Liquidia Corp filed an 10-K at 2024-03-13 07:30:43 EDT
Accession Number: 0001558370-24-003051

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity. Risk Management and Strategy Integrated Risk Management Management is responsible for the day-to-day management of the Company s risk exposure, subject to the direction and objectives established by our Board of Directors (the Board ). As an important component of the Company s risk management process, management reviews risks from cybersecurity threats and the Company s programs for evaluating, mitigating and educating its employees regarding cybersecurity risks. We employ a range of tools and services, including regular network and endpoint monitoring, managed detection and response, system patching, managed security services, server and endpoint scheduled backups, awareness training and testing, periodic vulnerability assessments and penetration testing, to update our ongoing cybersecurity risk identification and mitigation efforts. As part of our cybersecurity risk management, we have adopted a cybersecurity incident response plan to identify and manage cybersecurity threats and incidents, including but not limited to those that touch on operational risk, intellectual property theft, reputational risks, fraud and extortion, harm to the personal identifying data of employees or customers, violations of laws, and other risks. Under our cybersecurity incident response plan, we have appointed an incident response team, consisting of our Chief Executive Officer, Chief Financial Officer, General Counsel, head of information technology and head of human resources. The incident response team, in connection with outside legal and cybersecurity advisors, is responsible for investigating suspected cybersecurity incidents, taking appropriate steps to contain, mitigate or resolve a cybersecurity incident and reporting findings to management. In the event of a cybersecurity incident, our General Counsel is responsible for convening a materiality incident response team to assess the materiality of cybersecurity incidents meeting certain escalation criteria. Engagement of Third-party Support We engage third-party service providers to conduct evaluations of our security controls, whether through penetration testing, independent audits or consulting on best practices to address new challenges. These evaluations include testing both the design and operational effectiveness of cybersecurity controls. Third-party Risk Management We have adopted a third-party due diligence assessment policy to define the procedures for assessing and identifying risk from cybersecurity threats associated with the use of any third-party vendor who interacts with Liquidia s technology infrastructure or Liquidia s confidential, proprietary, or personally identifiable information. Under this policy, cybersecurity risks are identified and evaluated as part of the selection and oversight of applicable third-party service providers. Impact of Risks from Cybersecurity Threats We do not believe that any of the risks from cybersecurity threats we have faced to date have materially affected the Company, our business strategy, results of operations or financial condition. However, as discussed under Risk Factors in Part I, Item 1A of this Annual Report, cybersecurity threats pose multiple risks to us, including potentially to our results of operations and financial condition. See Item 1A. Risk Factors - We are subject to risks related to information technology systems, including cyber-security risks successful cyber-attacks or technological malfunctions can result in, among other things, financial losses, the inability to process transactions, the unauthorized release of confidential information and reputational risk, all of which would negatively impact our business, financial condition or results of operations . 74 Table of Contents Governance Board Oversight of Cybersecurity Threats The Board has oversight responsibility for the Company s overall risk management framework. The Board, acting primarily through the Audit Committee, is also responsible for oversight of our risk management practices, including as to cybersecurity, while management is responsible for the day-to-day risk management processes. Through our Chief Executive Officer and other members of management, the Board receives periodic reports regarding the risks facing the Company, including as to cybersecurity risks. In addition, the Audit Committee assists the Board in its oversight role by receiving periodic reports regarding our risk and control environment, including by receiving regular reports regarding cybersecurity risks and initiatives. Role of Management Our management and information technology teams, collectively, have decades of experience in the areas of information technology, finance, legal, human resources, data privacy and risk management. Our internal information technology organization, overseen by our Chief Financial Officer (the CFO ), is responsible for our overall information security strategy, policy, security engineering, operations and cyber threat detection and response. The day-to-day activities of our information technology organization are managed by our current head of information technology director, who has more than 20 years of experience in information technology systems and cybersecurity, including experience in safeguarding and monitoring networks and systems, responding to incidents, and reducing the risk of business exposure. The information technology organization also engages legal and cybersecurity professionals with appropriate subject matter expertise in support of its cybersecurity efforts. The information technology organization manages and continually enhances the Company s enterprise security structure with the goal of preventing cybersecurity incidents to the extent feasible, while simultaneously increasing our system resilience to minimize the business impact should an incident occur. In the event of a cybersecurity incident, the Company is equipped with an incident response plan that includes: (i) detection and analysis, (ii) containment and eradication, (iii) remediation and (iv) preparation for future incidents. Incident responses will be led by our incident response team and supported by Legal, Compliance and other functions as appropriate. Our CFO provides regular updates to the Audit Committee concerning the Company s technology and cybersecurity programs, associated risks and the Company s efforts to help mitigate those risks.

Company Information