Spero Therapeutics, Inc. 10-K Cybersecurity GRC - 2024-03-13

Page last updated on April 11, 2024

Spero Therapeutics, Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-03-13 16:10:58 EDT.

Filings

10-K filed on 2024-03-13

Spero Therapeutics, Inc. filed an 10-K at 2024-03-13 16:10:58 EDT
Accession Number: 0000950170-24-030767

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity. We recognize the critical importance of maintaining the trust and confidence of customers, clients, patients, business partners and employees toward our business and are committed to protecting the confidentiality, integrity and availability of our business operations and systems. Our board of directors is actively involved in oversight of our risk management activities, and cybersecurity represents an important element of our overall approach to risk management. Our cybersecurity policies, standards, processes and practices are based on recognized frameworks established by applicable industry standards. In general, we seek to address cybersecurity risks through a comprehensive, cross-functional approach that is focused on preserving the confidentiality, security and availability of the information that we collect and store by identifying, preventing and mitigating cybersecurity threats and effectively responding to cybersecurity incidents when they occur. Cybersecurity Risk Management and Strategy Effect of Risk We face risks related to cybersecurity such as unauthorized access, cybersecurity attacks and other security incidents, including events perpetrated by hackers and unintentional damage or disruption to hardware and software systems, loss of data, and misappropriation of confidential information. To identify and assess material risks from cybersecurity threats, we maintain a comprehensive cybersecurity program to ensure our systems are effective and prepared for information security risks, which includes regular oversight of our programs for security monitoring for internal and external threats to ensure the confidentiality and integrity of our information assets. We consider risks from cybersecurity threats alongside other company risks as part of our overall risk assessment process. We employ a range of tools and services, including network and endpoint monitoring, audits, vulnerability assessments, penetration testing and threat modeling to inform our risk identification and assessment. We also work with trusted third-party information security providers to deploy technologies designed to detect any unusual activities in our systems, attempts to access our systems, and guard against other security threats. As discussed in more detail under Cybersecurity Governance below, our audit committee provides oversight of our cybersecurity risk management and strategy processes, which are led by our Head of Information Technology ( IT ). 72 We also identify our cybersecurity threat risks by comparing our processes to industry standards, as well as by engaging experts to attempt to infiltrate our information systems. To provide for the availability of critical data and systems, maintain regulatory compliance, manage our material risks from cybersecurity threats, and protect against and respond to cybersecurity incidents, we undertake the following activities: monitor emerging data protection laws and implement changes to our processes that are designed to comply with such laws through our policies, practices and contracts (as applicable), require employees, as well as third parties that provide services on our behalf, to treat confidential information and data with care employ technical safeguards that are designed to protect our information systems from cybersecurity threats, including firewalls, intrusion prevention and detection systems, anti-malware functionality and access controls, which are evaluated and improved through vulnerability assessments and cybersecurity threat intelligence provide training for our employees regarding cybersecurity threats as a means to equip them with effective tools to address cybersecurity threats, and to communicate our evolving information security policies, standards, processes and practices leverage incident handling framework to help us identify, protect, detect, respond and recover when there is an actual or potential cybersecurity incident and carry information security risk insurance that provides protection against the potential losses arising from a cybersecurity incident. Our incident response plan coordinates the activities we take to prepare for, detect, respond to and recover from cybersecurity incidents, which include processes to triage, assess severity for, escalate, contain, investigate and remediate the incident, as well as to comply with potentially applicable legal obligations and mitigate damage to our business and reputation. As part of our processes, we regularly engage with consultants, auditors and other third parties, including having a third-party review our cybersecurity program to help identify areas for continued focus, improvement and compliance. Our incident response plan requires that suspected cybersecurity incidents are promptly reported to our Controller and Chief Human Resource Officer and includes an escalation path to our Chief Executive Officer, executive leadership team, and board of directors. We describe whether and how risks from identified cybersecurity threats, including as a result of any previous cybersecurity incidents, have materially affected or are reasonably likely to materially affect us, including our business strategy, results of operations, or financial condition, under the heading Our internal computer systems, or those of our contract research organizations or other contractors or consultants, may fail or suffer cybersecurity incidents, which could result in a material disruption of our product development programs, and could subject us to liability , which disclosures are incorporated by reference herein. In the last three fiscal years, we have not experienced any material cybersecurity incidents. Cybersecurity Governance Management Cybersecurity is an important part of our risk management processes and an area of focus for our board of directors and management. In general, our board of directors oversees risk management activities designed and implemented by our management, and considers specific risks, including, for example, risks associated with our strategic plan, business operations, and capital structure. Our board of directors executes its oversight responsibility for risk management both directly and through delegating oversight of certain of these risks to its committees, and our board of directors has authorized our audit committee to oversee risks from cybersecurity threats. Our audit committee receives updates from management of our cybersecurity threat risk management and strategy processes. The audit committee receives information regarding current and emerging material cybersecurity threat risks and our ability to mitigate those risks. Our board of directors receives prompt and timely information regarding any cybersecurity incident that meets established reporting thresholds, as well as ongoing updates regarding any such incident until it has been addressed. Our cybersecurity risk management and strategy processes, which are discussed in greater detail above, are led by our Head of IT. This individual has over ten years of information technology and cybersecurity work experience. This risk management team member is informed about and monitors the prevention, mitigation, detection, and remediation of cybersecurity incidents through their management of, and participation in, the cybersecurity risk management and strategy processes described above, including the operation of our incident response plan. This risk management team member reports to the audit committee of our board of directors about cybersecurity threat risks, among other cybersecurity related matters. 73

Company Information