Vor Biopharma Inc. 10-K Cybersecurity GRC - 2024-03-20

Page last updated on April 11, 2024

Vor Biopharma Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-03-20 16:00:52 EDT.

Filings

10-K filed on 2024-03-20

Vor Biopharma Inc. filed an 10-K at 2024-03-20 16:00:52 EDT
Accession Number: 0000950170-24-034146

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity Risk management and strategy We have implemented and maintain various information security processes designed to identify, assess and manage material risks from cybersecurity threats to our critical computer networks, third party hosted services, communications systems, hardware and software, and our critical data, including intellectual property, confidential information that is proprietary, and strategic or competitive in nature, and our clinical trial and related data ( Information Systems and Data ). The Company s Vice President, Head of IT, Senior Manager of IT Infrastructure, Systems, and Security, the Company’s Information Security Management System ( ISMS ) Management Review Team, and third-party service providers (collectively, the Information Security Function ) help identify, assess, and manage the Company s cybersecurity threats and risks. The Information Security Function identifies and assesses risks from cybersecurity threats by monitoring and evaluating the Company s threat environment and risk profile using various methods and tools including, for example: subscribing to reports and services that identify cybersecurity threats, analyzing reports of threats and bad actors, conducting scans of the threat environment, and evaluating our industry s risk profile and threats reported to us. We also complete internal and external security audits, third party threat assessments, and vulnerability assessments. The Company implements and maintains technical, physical, and organizational measures designed to manage and mitigate material risks from cybersecurity threats to our Information Systems and Data. These measures include, for example: risk assessments, implementation of certain security standards and certifications, encryption of certain data, access and network security controls, physical security, asset management, tracking and disposal, systems monitoring, employee training, penetration testing, cybersecurity insurance, and an incident response plan. Our assessment and management of material risks from cybersecurity threats are integrated into the Company s overall risk management processes. For example, the ISMS maintains a risk register related to information and security threats and evaluates and manages material risks from cybersecurity threats against our overall business objectives. This information is communicated to the audit committee of the board of directors, which evaluates the Company’s risks relating to data privacy, technology and information security, including cybersecurity. We use third-party service providers to assist us from time to time to identify, assess, and manage material risks from cybersecurity threats, including cybersecurity software providers, managed cybersecurity service providers, penetration testing firms, external legal counsel, and dark web monitoring services. We also use third-party service providers to perform a variety of functions throughout our business, such as application providers and hosting companies. We have a vendor management program to manage cybersecurity risks associated with our use of these providers, which includes reviewing vendor security audits and reports. For a description of the risks from cybersecurity threats that may materially affect the Company and how they may do so, see our risk factors under Part 1. Item 1A. Risk Factors in this Annual Report on Form 10-K, including If our information technology systems, or those of our third-party vendors, collaborators or other contractors or consultants, or our data are or were compromised, we could experience adverse consequences resulting from such compromise, including but not limited to a material disruption of our product development programs, regulatory investigations or actions, litigation, fines and penalties, reputational harm and other adverse consequences. Governance Our board of directors addresses the Company s cybersecurity risk management as part of its general oversight function. The board of directors audit committee is responsible for overseeing Company s cybersecurity risk management processes, including oversight of mitigation of risks from cybersecurity threats. 92 Our cybersecurity risk assessment and management processes are implemented and maintained by certain Company management, including the Senior Manager of IT Infrastructure, Systems and Security, who oversees the ISMS Management Review Team and reports to the Vice President, Head of IT. The Vice President, Head of IT is responsible for strategic leadership of our cybersecurity risk management program. The Vice President, Head of IT is responsible for hiring appropriate personnel, approving budgets, helping to integrate cybersecurity risk considerations into the Company s overall risk management strategy, and communicating key priorities to relevant personnel. The Head of IT role is currently held by an individual who has approximately 35 years of professional IT management experience. The Senior Manager of IT Infrastructure, Systems and Security leads the operational and ISMS oversight of company-wide cybersecurity strategy, policy, standards and processes and works across relevant departments to assess and help prepare employees and third-party service providers to address cybersecurity risks. The Senior Manager of IT Infrastructure, Systems, and Security has approximately 10 years of experience in IT including infrastructure and cloud administration, participation in risk management and incident response activities, vendor management, and ensuring information security policy compliance. Our cybersecurity incident response plan is designed to escalate certain cybersecurity incidents to members of management depending on the circumstances, including the Chief Financial Officer, and the Chief Executive Officer. The Company s information technology department and managed service partners work with the Company s incident response team to help the Company mitigate and remediate cybersecurity incidents of which they are notified. In addition, the Company s incident response plan includes reporting to the audit committee of the board of directors and the chair of the board of directors for certain cybersecurity incidents. The audit committee of the board of directors receives summaries or presentations from the Vice President, Head of IT concerning the Company s significant cybersecurity threats and risk and the processes the Company has implemented to address them.

Company Information