Nkarta, Inc. 10-K Cybersecurity GRC - 2024-03-21

Page last updated on April 11, 2024

Nkarta, Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-03-21 16:23:12 EDT.

Filings

10-K filed on 2024-03-21

Nkarta, Inc. filed an 10-K at 2024-03-21 16:23:12 EDT
Accession Number: 0000950170-24-034735

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity. Risk Management and Strategy We continuously monitor our information systems to assess, identify, and manage risks from vulnerabilities and assess cybersecurity threats. Our process for identifying and assessing material risks from cybersecurity threats operates alongside our broader overall risk assessment process. We monitor risks through routine security assessments and implementation of enhancements to security measures used to protect our systems and data. We address system alerts on an ongoing basis. We maintain an Incident Response Plan Policy (“IRP”), which sets forth processes we will follow to address incidents as defined in the IRP, which include an actual or reasonably suspected cyber incident. Our information technology team promptly responds to system alerts and reported incidents that indicate the suspected presence of an incident and escalates in accordance with the IRP. The IRP, among other things, provides for a cross-functional team consisting of representatives from informational technology, risk management, legal, and communications, an Incident Response Team (“IRT”), that collaborates to quickly assess the impact, mitigate risks to information systems, and resolve incidents while improving information systems. Depending on the incident, we may utilize third-parties for assistance in investigating and addressing cybersecurity incidents.i We also utilize certain third-party service providers to perform a variety of critical business functions and recognize that we are exposed to cybersecurity threats associated with our use of third-party service providers. We have certain vendor management processes designed to help manage cybersecurity risks associated with our use of certain of these providers. Additionally, we strive to minimize cybersecurity risks when we first select or renew a vendor by including cybersecurity risk as part of our overall vendor evaluation and due diligence process. We have not had cyber incidents that have materially affected our business or financial condition. For details about our risks associated with cybersecurity threats, see Computer system interruptions or security breaches of our information systems could significantly disrupt our product development programs and our ability to operate our business. in the section titled Risk Factors in Part I, Item 1A in this Annual Report on Form 10-K. Governance Management is responsible for identifying and assessing material risks for the business on an ongoing basis, including in relation to cybersecurity. As part of this process, our IRT is tasked with implementing and maintaining our cybersecurity programs, including establishing processes to ensure that potential cybersecurity risk exposures are monitored and putting in place appropriate mitigation measures. Our Chief Financial and Business Officer oversees our information technology department which monitors the prevention, detection, mitigation, and remediation of cyber incidents, if any, and reports all potential incidents and an initial assessment of such incident to the IRT. Our Chief Financial and Business Officer has over 6 years of experience with overseeing risk, compliance, and information technology functions. Our Board of Directors (the “Board”) oversees our risk management program as part of its general oversight function. The Board s Audit Committee is delegated the responsibility for reviewing and discussing with management our program to identify, assess, manage, and monitor significant business risks, including financial, operational, privacy, business continuity, legal and regulatory, reputation risks, and security, including cybersecurity. The Audit Committee receives quarterly updates from management regarding investigated incidents and periodic updates from management regarding cybersecurity matters (including the current threat landscape and cybersecurity risks). The Audit Committee may provide updates to the Board on the substance of these reports and any recommendations for improvements that the Audit Committee deems appropriate. 99

Company Information