Disc Medicine, Inc. 10-K Cybersecurity GRC - 2024-03-21

Page last updated on April 11, 2024

Disc Medicine, Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-03-21 08:15:40 EDT.

Filings

10-K filed on 2024-03-21

Disc Medicine, Inc. filed an 10-K at 2024-03-21 08:15:40 EDT
Accession Number: 0000950170-24-034432

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBERSECURITY Cyber Risk Management and Strategy Disc Medicine, under the oversight of the audit committee of the board of directors, has implemented and maintains processes to review and manage enterprise risks, including annual assessments of cybersecurity risks, across the Company. Our cybersecurity risk management program, which is informed by and incorporates elements of recognized industry standards, is designed to identify, assess, and mitigate critical risks from cybersecurity threats. This program includes, but is not limited to, ongoing monitoring for potential critical risks from cybersecurity threats using automated tools. To support our cybersecurity risk management program, we leverage a managed service provider (MSP) that provides ongoing support for the protection of our information technology infrastructure as well as a virtual Chief Information Security Officer, or vCISO. Our cybersecurity risk management strategy is informed by periodic conversations with, and risk assessments conducted by, our vCISO. We have an employee security awareness training program, offered upon employee onboarding and on an annual basis, that is designed to raise awareness of cybersecurity threats across functions as well as to encourage consideration of cybersecurity risks across our Company. As part of this employee training program, we periodically conduct phishing simulations designed to raise employee awareness of such risks. We have also implemented a process to review contractual requirements related to information security obligations included in our agreements with certain third-party vendors and service providers, as appropriate. We have not identified any cybersecurity incidents or threats that have materially affected us or are reasonably likely to materially affect us, including our business strategy, results of operations or financial condition however, like other companies in our industry, we and our third-party vendors may, from time to time, experience threats and security incidents relating to our and our third-party vendors information systems and infrastructure. For more information, please see Item 1A - Risk Factors. Governance Related to Cybersecurity Risks Our Head of Information Technology (IT), under the oversight of our General Counsel, is responsible for the administration and maintenance of our cybersecurity risk management program, including the day-to-day oversight of the assessment and management of cybersecurity risks. The individual who currently holds the title of Head of IT has more than 20 years of experience in information security and cybersecurity risk management. Our Head of IT directly reports to, and meets periodically with, our General Counsel to discuss and review our cybersecurity risk management processes, with input from the Company s MSP and vCISO, as appropriate. Our board of directors has delegated oversight of the Company s cybersecurity program to the audit committee of the board of directors. As provided in the audit committee charter, the audit committee is responsible for reviewing and discussing the Company s information security and risk management programs, controls, and procedures, including high-level review of the threat landscape facing the Company and the Company s strategy to mitigate cybersecurity risks and potential breaches. Under the audit committee charter, the audit committee is also responsible for reviewing the recovery and communication plans for any unplanned outage or security breach. Our Head of IT, twice a year, provides reports to the audit committee on the status of our cybersecurity program, including measures implemented to monitor and address risks from cybersecurity threats, as appropriate. He also reports on a quarterly basis to the executive committee on cybersecurity and information technology matters. The chair of the audit committee provides periodic reports on cybersecurity risk management to the full board of directors. Our General Counsel, on an annual basis, discusses the results of our enterprise risk assessment processes, including risks related to cybersecurity, with the full board of directors.

Company Information