Fusion Pharmaceuticals Inc. 10-K Cybersecurity GRC - 2024-03-20

Page last updated on April 11, 2024

Fusion Pharmaceuticals Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-03-20 16:14:05 EDT.

Filings

10-K filed on 2024-03-20

Fusion Pharmaceuticals Inc. filed an 10-K at 2024-03-20 16:14:05 EDT
Accession Number: 0000950170-24-034172

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity. Cybersecurity Risk Management and Strategy As part of our enterprise risk management process, we have adopted a cybersecurity risk management program designed to assess, identify, and mitigate risks from cybersecurity threats. Our cybersecurity risk management program is informed by recognized industry standards and frameworks and incorporates elements of the same, including elements of the National Institute of Standards and Technology ( NIST ) Cybersecurity Framework. Our cybersecurity risk management program is supported by third parties, including a managed services provider that assists the Company with, among other things, threat monitoring and incident response. Our cybersecurity risk management program utilizes tools and processes designed to prevent, detect, and mitigate current and emerging cybersecurity threats, and we maintain procedures to address cybersecurity incidents. These tools and procedures include, but are not limited to, the use of external virtual chief information security officer (vCISO) services, annual cybersecurity risk assessments, and vulnerability scans and penetration tests. Our annual cybersecurity risk assessments are centered on three key components of cybersecurity risk management: (1) the identification of cybersecurity risks and threats (2) the evaluation of the likelihood that these cybersecurity risks will manifest into cybersecurity threats and, should they manifest, the severity of their potential consequences and (3) the establishment of policies and procedures intended to mitigate and contain the harm posed by cybersecurity threats. To encourage consideration of cybersecurity risks across functions, we require employees to participate in annual cybersecurity risk awareness trainings and phishing exercises. Further, we maintain cybersecurity incident response procedures supported by our internal cybersecurity incident management team. The cybersecurity incident management team is comprised of individuals across several areas of the organization including legal, finance, quality, regulatory, IT, and investor relations. Our cybersecurity incident response program maintains procedures designed to mitigate the harm posed by cybersecurity threat actors as well as to escalate cybersecurity incidents within the organization, if necessary. We engage in tabletop exercises to test our incident response plan. Before purchasing third-party technology or other solutions that involve exposure to the Company s systems or electronic information, we conduct a cybersecurity review of such third parties. This cybersecurity review involves the vendor s completion of questionnaires and, as appropriate, participation in cybersecurity audits. To date, we have not identified any cybersecurity incidents or threats that have materially affected us or are reasonably likely to materially affect us, including our business strategy, results of operations, or financial condition. However, like other companies in our industry, we and our third-party vendors have from time to time experienced threats that could affect our information or systems. For more information, please refer to Item 1A, Risk Factors, in this annual report on Form 10-K. Cybersecurity Governance The Board of Directors has delegated oversight of the Company s cybersecurity program to the Audit Committee of the Board of Directors. As provided in the Audit Committee Charter, the Audit Committee is responsible for reviewing reports on data management and cybersecurity initiatives and significant existing and emerging cybersecurity risks, including cybersecurity incidents, the impact on the Company and its stakeholders of any significant cybersecurity incident and any disclosure obligations arising from any such incidents. Our Senior Director, Information Technology ( IT ), who reports directly to our Chief Financial Officer, has primary responsibility for the day-to-day management of our cybersecurity risk management program. The individual currently operating as our Senior Director, IT has approximately thirty-four years of experience with information technology, including seventeen years of experience managing cybersecurity risk management programs. Our Senior Director, IT is supported by our internal IT team and external IT consultants, and their responsibilities include assessing, monitoring, and managing our cybersecurity risks. Our Senior Director, IT and Chief Financial Officer present, at least annually, to the Audit Committee to discuss management s ongoing cybersecurity risk management program. The annual presentation to the Audit Committee includes information about the sources and nature of risks the Company faces, how management assesses such risks, progress on vulnerability remediation, and current developments in the cybersecurity landscape. In turn, the Chair of the Audit Committee 107 provides an annual readout to the full Board of Directors that includes a summary of the Senior Director, IT and Chief Financial Officer s presentation, to enable discussion of cybersecurity risk management at the full Board level. When appropriate, members of our internal incident response team will also update the executive management team on developments relating to cybersecurity and, if needed, cybersecurity incidents.

Company Information