KINETA, INC./DE 10-K Cybersecurity GRC - 2024-03-21

Page last updated on April 11, 2024

KINETA, INC./DE reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-03-21 16:06:50 EDT.

Filings

10-K filed on 2024-03-21

KINETA, INC./DE filed an 10-K at 2024-03-21 16:06:50 EDT
Accession Number: 0000950170-24-034676

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity. Cybersecurity Risk Management and Strategy We recognize the importance of assessing, identifying, and managing material risks associated with cybersecurity threats, as such term is defined in Item 106(a) of Regulation S-K. These risks include, among other things, operational risks intellectual property theft fraud extortion harm to 92 employees or customers violation of privacy or security laws and other litigation and legal risk and reputational risks. We have implemented several cybersecurity processes, technologies, and controls to aid in our efforts to assess, identify, and manage such material risks. Our process for identifying and assessing material risks from cybersecurity threats operates alongside our broader overall risk assessment process, covering all company risks. As part of this process, appropriate disclosure personnel will collaborate with subject matter specialists, as necessary, to gather insights for identifying and assessing material cybersecurity threat risks, their severity, and potential mitigations. We also have a cybersecurity specific risk assessment process, which helps identify our cybersecurity threat risks. As part of this process, and our processes to provide for the availability of critical data and systems, maintain regulatory compliance, identify and manage our risks from cybersecurity threats, and to protect against, detect, and respond to cybersecurity incidents, as such term is defined in Item 106(a) of Regulation S-K, we undertake the below listed activities, among others: closely monitor emerging data protection laws and implement changes to our processes designed to comply undertake regular reviews of our consumer facing policies and statements related to cybersecurity proactively inform our customers of substantive changes related to customer data handling conduct annual customer data handling and use requirements training for all our employees conduct annual cybersecurity management and incident training for employees involved in our systems and processes that handle sensitive data conduct regular phishing email simulations for all employees and all contractors with access to corporate email systems to enhance awareness and responsiveness to such possible threats through policy, practice and contract (as applicable) require employees, as well as third parties who provide services on our behalf, to treat customer information and data with care conduct regular network monitoring, vulnerability assessments, and penetration testing to improve our information systems, as such term is defined in Item 106(a) of Regulation S-K) carry information security risk insurance that provides protection against the potential losses arising from a cybersecurity incident and conduct annual training with all employees on our security standards and requirements. In the event of a cybersecurity incident, we will coordinate with our third-party cybersecurity advisor to prepare for, detect, respond to and recover from cybersecurity incidents, which include processes to triage, assess severity for, escalate, contain, investigate, and remediate the incident, as well as to comply with potentially applicable legal obligations and mitigate brand and reputational damage. As part of the above processes, we regularly engage with assessors, consultants, auditors, and other third parties, including by regularly having a third party review our cybersecurity program to help identify areas for continued focus, improvement and/or compliance. Our internal processes also address cybersecurity threat risks associated with our use of third-party service providers, including those in our supply chain or who have access to our customer and employee data or our systems. We determine an overall risk assessment of potential cybersecurity issues with our third-party suppliers. In addition, cybersecurity considerations affect the selection and oversight of our third-party service providers. Additionally, if appropriate, we require those third parties that could introduce significant cybersecurity risk to us to agree by contract to manage their cybersecurity risks in specified ways, and to agree to be subject to cybersecurity audits, which we conduct as appropriate. Cybersecurity Governance Cybersecurity is an important part of our risk management processes and an area of increasing focus for our Board and management. Our audit committee is responsible for the oversight of risks from cybersecurity threats. At least annually, the audit committee receives an overview from management of our cybersecurity threat risk management and strategy processes covering topics such as data security posture, results from third-party assessments, progress towards pre-determined risk-mitigation-related goals, our incident response plan, and material cybersecurity threat risks or incidents and developments, as well as the steps management has taken to respond to such risks. In such sessions, the audit committee generally receives materials including a cybersecurity scorecard and other materials indicating current and emerging material cybersecurity threat risks, and describing the Company s ability to mitigate those risks, and discusses such matters with certain members of management, which include our CFO and President. Members of the audit committee are also encouraged to regularly engage in ad hoc conversations with management on cybersecurity-related news events and discuss any updates to our cybersecurity risk management and strategy programs. Material cybersecurity threat risks are also considered during separate Board meeting discussions of important matters like risk management, operational budgeting, business continuity planning, mergers and acquisitions, brand management, and other relevant matters. Our cybersecurity risk management and strategy processes, which are discussed in greater detail above, are led by our President. Such individual completed a certificate program with Stanford University on Foundations of Information Security in the first quarter of 2024. In addition, he has over 20 years of executive responsibility for managing public company IT operations, including managing information security, developing cybersecurity 93 strategy, implementing effective information and cybersecurity programs and deployment of internal training and company technology standards. This member of management is informed about and monitors the prevention, mitigation, detection, and remediation of cybersecurity incidents through his management of, and participation in, the cybersecurity risk management and strategy processes described above, including the operation of our incident response plan. As discussed above, this member of management reports to the audit committee about cybersecurity threat risks, among other cybersecurity related matters.

Company Information