Enliven Therapeutics, Inc. 10-K Cybersecurity GRC - 2024-03-14

Page last updated on April 11, 2024

Enliven Therapeutics, Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-03-14 16:15:39 EDT.

Filings

10-K filed on 2024-03-14

Enliven Therapeutics, Inc. filed an 10-K at 2024-03-14 16:15:39 EDT
Accession Number: 0000950170-24-031495

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cyb ersecurity. Risk Management and Strategy We have established policies and processes for assessing, identifying, and managing material risk from cybersecurity threats, and we have integrated these processes into our overall risk management systems and processes. We periodically assess material risks from cybersecurity threats, including any potential unauthorized occurrences on or conducted through our information systems that may result in adverse effects on the confidentiality, integrity, or availability of our information systems or any information residing therein. We have established a risk management framework which provides for the identification, assessment, management, and monitoring of cybersecurity risks. The implementation of this framework includes an iterative and periodically updated risk identification process and will include penetration testing. Identified risks are assessed, managed, monitored, and periodically reassessed to account for new threats, changes in operations, the effectiveness of implemented safeguards, and other factors. Our risk management framework activities include the identification, assessment, and monitoring of reasonably foreseeable internal and external risks, including risks associated with key third-party vendors and service providers. The risk assessment, monitoring, and review process address the likelihood and potential damage that could result from such risks, and the sufficiency of existing 85 policies, procedures, systems, and safeguards in place to manage such risks. In this context, under our risk management framework, we periodically work to re-design, implement, update, and maintain reasonable safeguards to minimize identified risks, including risks related to third-party vendors and service providers monitor the effectiveness of our safeguards and reasonably address any identified gaps in existing safeguards. As part of our risk management framework, we also periodically assign third-party cybersecurity training to our employees on our cybersecurity policies and safeguards. We employ external cybersecurity consultants to help design and implement our cybersecurity policies and procedures, and to identify, assess, manage, and monitor cybersecurity risks. Under the supervision of senior executive management, our Head of Information Technology (IT), supported by external cybersecurity consultants, supervises and directs the implementation of our cybersecurity risk management framework. For additional information regarding whether any risks from cybersecurity threats, including as a result of any previous cybersecurity incidents, have materially affected or are reasonably likely to materially affect our company, including our business strategy, results of operations, or financial condition, please refer to Item 1A, Risk Factors, in this annual report on Form 10-K, including the risk factors entitled, Our internal computer systems, or those of any of our CROs, manufacturers, other contractors or consultants or potential future collaborators, may fail or suffer actual or suspected security or data privacy incidents or other unauthorized or improper access to, use of, or destruction of our proprietary or confidential data, employee data, or personal information, which could result in additional costs, loss of revenue, significant liabilities, harm to our brand and material disruption of our operations, and potentially significant delays in our clinical trials and delivery to market. and We are subject to stringent and changing privacy, data protection and data security laws, regulations and standards as well as policies, contracts and other obligations related to data privacy, data protection and data security. Our actual or perceived failure to comply with such obligations could lead to enforcement or litigation (that could result in fines or penalties), a disruption or cancellation of clinical trials or commercialization of products, reputational harm, or other adverse business effects. Governance One of the key functions of our board of directors is informed oversight of our risk management process, including risks from cybersecurity threats. Our board of directors is responsible for monitoring and assessing strategic risk exposure, and our executive officers are responsible for the day-to-day management of the material risks we face. Our board of directors administers its cybersecurity risk oversight function directly as a whole, as well as through the audit committee. The audit committee has primary board responsibility for strategic oversight of our cybersecurity program, including by quarterly reviewing and discussing with management the Company s cybersecurity and other information technology risks, controls and procedures, as well as the Company s plans to mitigate cybersecurity risks and to respond to data breaches. Our Chief Legal Officer, who serves as our Head of Information Technology (IT), with the assistance of and informed by our external consultants, is primarily responsible for overseeing our cybersecurity risk management framework, including assessing and managing our material risks from cybersecurity threats, as well as monitoring the prevention, detection, mitigation, and remediation of cybersecurity incidents. Our Chief Legal Officer and Head of IT has experience as a senior legal, compliance and operations executive in highly regulated companies, including in roles with executive-level responsibility for overseeing data privacy and security compliance. The processes by which our senior management are informed about and monitor the prevention, detection, mitigation, and remediation of cybersecurity incidents include regular reports from the Chief Legal Officer and Head of IT. Our Chief Legal Officer and Head of IT also provides quarterly briefings to the audit committee regarding our cybersecurity risks and activities, including any recent cybersecurity incidents and related responses as well as the results of our risk management activities. Our audit committee provides updates to the board of directors on such reports.

Company Information