Scholar Rock Holding Corp 10-K Cybersecurity GRC - 2024-03-19

Page last updated on April 11, 2024

Scholar Rock Holding Corp reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-03-19 07:16:49 EDT.

Filings

10-K filed on 2024-03-19

Scholar Rock Holding Corp filed an 10-K at 2024-03-19 07:16:49 EDT
Accession Number: 0001558370-24-003540

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity Cyber Risk Management and Strategy We have processes for assessing, identifying and managing cybersecurity risks, which are informed by industry standards and built into our overall enterprise risk management function and are designed to help protect our information assets and operations from internal and external cyber threats, and to protect employee, collaborator and patient information from unauthorized access or attack. We maintain a team of internal and external information technology specialists who are responsible for the design, implementation, and operation of our information technology ecosystem and cybersecurity governance processes. We engage with certain external parties, including consultants, computer security firms and risk management advisors, peer companies, and industry groups in an effort to enhance our cybersecurity oversight and risk management strategy. We also use security technologies, including third-party solutions and monitoring tools that are designed to identify and mitigate cybersecurity risks. Further, we regularly engage third parties to conduct penetration testing, security assessments and tabletop exercises. We also engage a virtual chief information security officer ( vCISO ) to support and advise on our cybersecurity program. We have a process to consider the internal risk oversight programs of critical third-party service providers before engagement, including through security questionnaires and contractual requirements, as appropriate. In addition, in an effort to deter and detect cyber threats, we have implemented an annual training program to provide employees with data protection, cybersecurity and incident response and prevention training. 105 Table of Contents We have not identified any cybersecurity incidents or threats that have materially affected us or are reasonably likely to materially affect us, including our business strategy, results of operations, or financial condition. However, like other companies in our industry, we and our third-party vendors have from time to time experienced threats and security incidents that could affect our information or systems. For more information, please see the section entitled Risk Factors. Governance Related to Cybersecurity Risks The Audit Committee of our Board of Directors provides direct oversight over cybersecurity risk and provides updates to the Board of Directors regarding such oversight. The Audit Committee receives periodic updates from management, including from our Vice President, Information Technology, or the VP of IT, regarding cybersecurity matters, such as relevant cybersecurity risk assessments, as applicable. We have established a process for the Audit Committee to be notified in the event of significant cybersecurity threats or incidents. The VP of IT leads the operational oversight of company-wide cybersecurity strategy, policies, processes, and support staff. Additionally, the VP of IT works across all relevant departments to assess and help prepare us and our employees to address cybersecurity risks. The VP of IT reports and provides regular updates to the Chief Operations Officer and Chief Financial Officer on the cybersecurity program as well as periodic updates to executive management, as needed. Our VP of IT has worked in the information technology field for over 19 years at biotechnology companies including publicly-traded organizations.

Company Information