Dianthus Therapeutics, Inc. /DE/ 10-K Cybersecurity GRC - 2024-03-21

Page last updated on April 11, 2024

Dianthus Therapeutics, Inc. /DE/ reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-03-21 16:07:40 EDT.

Filings

10-K filed on 2024-03-21

Dianthus Therapeutics, Inc. /DE/ filed an 10-K at 2024-03-21 16:07:40 EDT
Accession Number: 0000950170-24-034681

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cyb ersecurity. We take cyber risk seriously as a part of modern enterprise risk management, protecting our stakeholders and assets, and building resilient processes. The modern threat landscape requires us to consider cyber risks, and make determinations regarding how to treat the risks. We evaluate cybersecurity risks alongside other business risks. In the ordinary course of our business, we collect, use, store, and transmit digitally confidential, sensitive, proprietary, personal, and health-related information. The secure maintenance of this information and our information technology systems is important to our operations and business strategy. To that end, we rely on a multidisciplinary team (including from our IT function, senior management, and third-party service providers, as described further below) to assess how identified cybersecurity threats could impact our business. These assessments may leverage, among other processes, industry tools and metrics designed to assist in the assessment of risks from such cybersecurity threats. Senior management is directly involved with our efforts to prevent, detect, and mitigate cybersecurity incidents by overseeing preparation of cybersecurity policies and procedures, testing incident response plans and engaging vendors to conduct penetration tests. Senior management participates in cybersecurity incident response efforts by being part of the incident response team and helping direct our response to cybersecurity incidents. To augment internal knowledge, we have engaged a virtual Chief Information Security Officer ( vCISO ) from a third-party firm that has provided IT and security services for over 17 years and utilizes industry expertise to recommend and implement best practice solutions for operational needs. The service provides a named vCISO as part of an advisory team to assess and help manage our cybersecurity program. Cybersecurity risks are identified and processed in a Risk Register by an information security team that includes the vCISO and internal management. We conduct risk assessments, penetration testing, vulnerability scanning, receive alerts from security tools, and engage in an ongoing discussion of business processes and policy management. We use advanced tools to track governance, risk, and compliance tied to a security framework tailored from industry standards and best practices, and we test our tools and policies regularly. Third parties also play a role in our cybersecurity. We engage third-party services to conduct evaluations of our security controls, whether through penetration testing, independent audits, or consulting on best practices to address new challenges. These evaluations include testing both the design and operational effectiveness of security controls. We have implemented and maintain information security processes designed to identify, assess, and manage material risks from cybersecurity threats to critical computer networks, third-party hosted services, communications systems, hardware, software, and our critical data including confidential, personal, proprietary, and sensitive data. Accordingly, we maintain risk assessment processes intended to identify cybersecurity threats, determine their likelihood of occurring, and assess any potential material impact to our business. Based on our assessment, we implement and maintain risk management processes to our information assets and mitigate harm to our business. In addition to internal systems and concerns, we manage risks from third parties that are a part of business operations. This includes assessing cybersecurity risks during the vetting process and recurring assessments during the life of the engagements. Relative levels of assessment are considered with regard to business criticality of the relevant third parties. We rely heavily on our third party CROs and CDMOs to manage our clinical trials and manufacture our investigational products, and a cybersecurity incident at a CRO, CMDO or other third party upon which we rely could materially adversely impact us. In the last fiscal year, we have not identified risks from known cybersecurity threats, including as a result of any prior cybersecurity incidents, that have materially affected us, but we face certain ongoing cybersecurity risks threats that, if realized, are reasonably likely to materially affect us. See Risk Factors in this Annual Report on Form 10-K for additional information on cybersecurity risks we face. Information from the risk management process is managed by the Information Security Team and is reported to the Board of Directors on a regular basis. We provide cybersecurity updates to our Audit Committee on a quarterly basis. In the case of an incident, relevant members of the Information Security Team are involved to assess and oversee Incident Response operations as needed, including adequate reporting of material incidents if/when appropriate. Notwithstanding the approach we take to cybersecurity, we may not be successful in preventing or mitigating a cybersecurity incident that could have a material adverse effect on us. While we maintain cybersecurity insurance, the costs related to cybersecurity threats or disruptions may not be fully insured. 65 Table of Contents

Company Information