Tourmaline Bio, Inc. 10-K Cybersecurity GRC - 2024-03-19

Page last updated on April 11, 2024

Tourmaline Bio, Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-03-19 17:02:52 EDT.

Filings

10-K filed on 2024-03-19

Tourmaline Bio, Inc. filed an 10-K at 2024-03-19 17:02:52 EDT
Accession Number: 0001827506-24-000015

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity. Risk Management and Strategy We have implemented and maintain various information security processes designed to identify, assess, and manage material risks from cybersecurity threats to our critical computer networks, third party hosted services, communications systems, hardware and software, and our data, including intellectual property, confidential information that is proprietary, strategic, or competitive in nature, data related to our manufacturing, clinical development and clinical trials, and personal data (collectively, Information Systems and Data ). The cybersecurity function within the Company, which comprises, in part, our internal information technology ( IT ) and legal personnel who work with external service providers (including an external chief information security officer ( CISO ) and certain information security vendors) helps identify, assess and manage the Company s cybersecurity threats and risks. Together with, and under the direction of, our Head of IT, our cybersecurity function identifies and assesses risks from cybersecurity threats by monitoring and evaluating our threat environment using various methods. These methods include, for example, manual and automated tools, subscriptions to services that identify cybersecurity threats and actors, evaluations of our and our industry s risk profile, evaluations of threats reported against us, work with third parties who conduct threat assessments, and conducting vulnerability assessments. Depending on the environment and data, we implement and maintain various technical, physical, and organizational measures, processes, standards, and policies designed to manage and mitigate material risks from cybersecurity threats to our Information Systems and Data, including, for example: strategies related to incident detection, incident response, disaster recovery and business continuity assessing security risk and the results of gap assessments conducted by third parties of certain Company systems encrypting certain data maintaining certain access and physical security controls engaging in asset, system, and vendor management conducting personnel training on cybersecurity risks and maintaining cybersecurity insurance. Our assessment and management of material risks from cybersecurity threats are integrated into the Company s overall risk management processes. For example, (1) our Head of IT works with the Chief Business Officer and General Counsel, and other Company management as appropriate to prioritize our risk management processes and mitigate cybersecurity threats that may be more likely to lead to a material impact to our business and (2) our executive leadership team evaluates material risks from cybersecurity threats against our overall business objectives and reports to the Audit Committee of the Tourmaline Board of Directors, which evaluates our overall enterprise risk. We use third-party service providers to assist us from time to time to identify, assess, and manage material risks from cybersecurity threats, including for example, our external CISO, professional services firms (including legal counsel), threat intelligence service providers, cybersecurity consultants, cybersecurity software providers, and managed cybersecurity service providers. We use third-party service providers to perform a variety of functions throughout our business, such as application providers, hosting companies, contract research organizations, contract development and manufacturing organizations, supply chain resources, laboratories, and clinical database and data management providers and consultants. We have vendor security assessment processes such as assessing cybersecurity risks associated with our use of certain vendors for our clinical trials, manufacturing, and related operations. Our vendor risk management processes, depending upon the type of vendor, include conducting vendor risk assessments, submitting security questionnaires, conducting audits, and imposing contractual obligations related to information security and data protection. Depending on the nature of the services provided, the sensitivity of the Information Systems and Data at issue, and the identity of the provider, our vendor management processes may involve different levels of assessment designed to help identify cybersecurity risks associated with a provider. For a description of the risks from cybersecurity threats that may materially affect the Company and how they may do so, see our risk factors under Part 1. Item 1A. Risk Factors in this Annual Report on Form 10-K, including Risks Related to Government Regulation, Risks Related to Intellectual Property, and risk factors entitled We, our CROs, our CDMOs, service providers, our current and potential future partners or other third parties upon which we rely, could experience 86 Table of Contents a security incident, system disruption or failure, data loss, cyberattack, or similar event that could compromise our systems and data (or those of the third parties upon whom we rely), result in material disruptions to our business operations, lead to regulatory investigations or actions, litigation, fines and penalties, affect our reputation, revenue or profits, or otherwise harm our business and We are subject to rapidly changing and increasingly stringent foreign and domestic laws, regulations, and rules, contractual obligations, industry standards, policies and other obligations relating to privacy, data protection and information security. The restrictions imposed by these requirements or our actual or perceived failure to comply with such obligations could lead to regulatory investigations or actions, litigation (including class claims) and mass arbitration demands, fines and penalties, disruptions of our business operations, reputational harm, loss of revenue or profits, loss of customers or sales, and other adverse business consequences . Governance Our board of directors addresses the Company s cybersecurity risk management as part of its general oversight function. The Audit Committee of the Tourmaline Board of Directors is responsible for overseeing the Company s cybersecurity risk management processes, including oversight of mitigating risks from cybersecurity threats. Our cybersecurity risk assessment and management processes are implemented and maintained by certain Company management, including our: (1) Chief Business Officer and General Counsel, who reports to the Chief Executive Officer (2) Head of IT, who reports to the Chief Business Officer and General Counsel and (3) Assistant General Counsel, who also reports to the Chief Business Officer and General Counsel. Our Head of IT is responsible for engaging and managing external consultants and vendors related to cybersecurity, hiring appropriate personnel, helping to integrate cybersecurity risk considerations into the Company s overall risk management strategy, developing an information and cybersecurity strategy roadmap, and communicating key priorities to relevant personnel. Our Head of IT works with our Chief Business Officer and General Counsel, along with our Chief Financial Officer and Assistant General Counsel, to prepare appropriate budgets, prepare for cybersecurity incidents, review and approve cybersecurity processes, and review security assessments and other security-related reports. Our Head of IT has 18 years of experience in IT and information security functions. Our external CISO has 25 years of experience in IT and information security functions, as well as advanced degrees and certain certificates pertaining to information security. Our cybersecurity incident response strategy is designed to escalate certain cybersecurity incidents to members of management depending on the circumstances, including Head of IT and/or Chief Business Officer and General Counsel. Our Head of IT works with our external CISO, managed risk detection and response vendors, the Company s legal team and external counsel, and other third-party consultants and vendors to help the Company mitigate and remediate cybersecurity incidents of which they are notified. In addition, the Company s incident response strategy includes reporting to the Audit Committee of the Board of Directors for certain cybersecurity incidents. The Audit Committee receives reports from, as appropriate depending upon given circumstances, the Head of IT, the Chief Business Officer and General Counsel, or their designees concerning the Company s significant cybersecurity threats and risk and the processes the Company has implemented to address them. The Audit Committee also has access to various reports, summaries or presentations related to cybersecurity threats, risk and mitigation.

Company Information