ABEONA THERAPEUTICS INC. 10-K Cybersecurity GRC - 2024-03-18

Page last updated on April 11, 2024

ABEONA THERAPEUTICS INC. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-03-18 07:35:57 EDT.

Filings

10-K filed on 2024-03-18

ABEONA THERAPEUTICS INC. filed an 10-K at 2024-03-18 07:35:57 EDT
Accession Number: 0001493152-24-010190

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C of this report, Cybersecurity . ITEM 1B. UNRESOLVED STAFF COMMENTS Not Applicable. ITEM 1C, Cybersecurity Cybersecurity Management and Strategy In the ordinary course of our business, we collect, use, store, and transmit confidential, financial, sensitive, proprietary, personal, and health-related information. The secure maintenance of this information and our information technology systems is important to our operations and business strategy. To this end, we consider cybersecurity, along with other significant risks that we face, within our overall enterprise risk management framework, and have implemented processes designed to assess, identify, and manage risks from potential unauthorized occurrences on or through our information technology systems that may result in adverse effects on the confidentiality, integrity, and availability of these systems and the data residing therein. These processes are managed and monitored by a dedicated Director of Information Technology. Our processes include mechanisms, controls, technologies, and systems designed to prevent or mitigate data loss, theft, misuse, or other security incidents or vulnerabilities affecting the data and maintain a stable information technology environment. For example, we conduct penetration and vulnerability testing, and data recovery testing on a periodic basis. In addition, we consult with outside advisors and experts, when appropriate, to assist with assessing, identifying, and managing cybersecurity risks, including to anticipate future threats and trends, and their impact on the Company s risk environment. We also provide cybersecurity training to our employees and are formalizing an ongoing information security training program for active employees and relevant consultants to address matters such as phishing, email security, and training on data privacy. 55 We have not identified any cybersecurity incidents or threats that have materially affected us or are reasonably likely to materially affect us. However, like other companies in our industry, we and our third-party vendors have from time-to-time experienced threats to and security incidents relating to information systems. Additional information on cybersecurity risks we face is discussed in Part I, Item 1A, Risk Factors, under the heading Risks related to cybersecurity. Governance Our Director of Information Technology, who reports to our CFO, is responsible for assessing and managing cybersecurity risks. Our Director of Information Technology has over 25 years of experience managing information technology and cybersecurity. He has a bachelor s degree in electrical engineering from Wright State University as well as a master s degree in business administration from Ashland University. He has certifications from various information technology vendors as well as experience in implementing security frameworks such as International Organization for Standardization ( ISO ) 27001 and National Institute of Standards and Technology ( NIST ). We report on our information security program, including the results of periodic testing, to the Audit Committee of the Board of Directors. Our Board s Audit Committee is responsible for overseeing our cybersecurity and information security procedures. The Audit Committee reviews management presentations concerning cybersecurity-related issues, including information security, technology risks, policies, and risk mitigation programs. The Audit Committee reports matters to the Board of Directors as needed. Our CFO, with the support of our Director of Information Technology and third-party consultants, assesses and manages cybersecurity risk, including preventing, mitigating, detecting, and addressing cybersecurity incidents, if any. Our CFO also works closely with other management positions and external legal counsel to ensure that we understands our cybersecurity risk management responsibilities.
ITEM 1C, Cybersecurity Cybersecurity Management and Strategy In the ordinary course of our business, we collect, use, store, and transmit confidential, financial, sensitive, proprietary, personal, and health-related information. The secure maintenance of this information and our information technology systems is important to our operations and business strategy. To this end, we consider cybersecurity, along with other significant risks that we face, within our overall enterprise risk management framework, and have implemented processes designed to assess, identify, and manage risks from potential unauthorized occurrences on or through our information technology systems that may result in adverse effects on the confidentiality, integrity, and availability of these systems and the data residing therein. These processes are managed and monitored by a dedicated Director of Information Technology. Our processes include mechanisms, controls, technologies, and systems designed to prevent or mitigate data loss, theft, misuse, or other security incidents or vulnerabilities affecting the data and maintain a stable information technology environment. For example, we conduct penetration and vulnerability testing, and data recovery testing on a periodic basis. In addition, we consult with outside advisors and experts, when appropriate, to assist with assessing, identifying, and managing cybersecurity risks, including to anticipate future threats and trends, and their impact on the Company s risk environment. We also provide cybersecurity training to our employees and are formalizing an ongoing information security training program for active employees and relevant consultants to address matters such as phishing, email security, and training on data privacy. 55 We have not identified any cybersecurity incidents or threats that have materially affected us or are reasonably likely to materially affect us. However, like other companies in our industry, we and our third-party vendors have from time-to-time experienced threats to and security incidents relating to information systems. Additional information on cybersecurity risks we face is discussed in Part I, Item 1A, Risk Factors, under the heading Risks related to cybersecurity. Governance Our Director of Information Technology, who reports to our CFO, is responsible for assessing and managing cybersecurity risks. Our Director of Information Technology has over 25 years of experience managing information technology and cybersecurity. He has a bachelor s degree in electrical engineering from Wright State University as well as a master s degree in business administration from Ashland University. He has certifications from various information technology vendors as well as experience in implementing security frameworks such as International Organization for Standardization ( ISO ) 27001 and National Institute of Standards and Technology ( NIST ). We report on our information security program, including the results of periodic testing, to the Audit Committee of the Board of Directors. Our Board s Audit Committee is responsible for overseeing our cybersecurity and information security procedures. The Audit Committee reviews management presentations concerning cybersecurity-related issues, including information security, technology risks, policies, and risk mitigation programs. The Audit Committee reports matters to the Board of Directors as needed. Our CFO, with the support of our Director of Information Technology and third-party consultants, assesses and manages cybersecurity risk, including preventing, mitigating, detecting, and addressing cybersecurity incidents, if any. Our CFO also works closely with other management positions and external legal counsel to ensure that we understands our cybersecurity risk management responsibilities.

Company Information