Skye Bioscience, Inc. 10-K Cybersecurity GRC - 2024-03-21

Page last updated on April 11, 2024

Skye Bioscience, Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-03-21 20:41:37 EDT.

Filings

10-K filed on 2024-03-21

Skye Bioscience, Inc. filed an 10-K at 2024-03-21 20:41:37 EDT
Accession Number: 0001516551-24-000048

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity. We maintain a cyber risk management program designed to identify, assess, manage, mitigate, and respond to cybersecurity threats. This program, in conjunction with the Company s enterprise risk management assessment processes, addresses cybersecurity risks to the corporate information technology ( IT ) environment including systems, hardware, software, data, people, and processes. 54 The underlying processes and controls of our cyber risk management program are designed based on standards for cybersecurity and information technology, including the National Institute of Standards and Technology ( NIST ) Cybersecurity Framework ( CSF ). Skye has an annual assessment performed by a third-party specialist of its cyber risk management program against the NIST CSF. The annual risk assessment identifies, quantifies, and categorizes significant cyber risks. In addition, the Company, in conjunction with the third-party cyber risk management specialists develop a risk mitigation plan to address identified risks and, where necessary, remediate potential issues identified through the annual assessment process. In addition, we maintain an information security policy that covers safeguarding and managing confidential information, handling personal and company-sensitive data, managing access on/off-boarding and user accounts, acceptable use and IT change management to help govern the processes put in place by management designed to protect Skye s IT assets, data, and services from threats and vulnerabilities. We partner with industry recognized cybersecurity providers leveraging third-party technology and expertise. We and our cybersecurity partners maintain an IT assets inventory, identity access management controls including restricted access of privileged accounts, physical security measures at Company facilities, information protection/detection systems including maintenance of firewalls and anti-malware tools, network and data traffic monitoring and automated alerting, capacity management, industry-standard encryption protocols, formalized change management processes, critical data backups infrastructure maintenance, incident response, cybersecurity strategy, and cyber risk advisory, assessment and remediation. Our management team is responsible for oversight and administration of our cyber risk management program, and for informing senior management and other relevant stakeholders regarding the prevention, detection, mitigation, and remediation of cybersecurity incidents. Our management team has experience selecting, deploying, and overseeing cybersecurity technologies, initiatives, and processes directly or via selection of strategic third-party partners, and relies on threat intelligence as well as other information obtained from governmental, public, or private sources, including external consultants engaged by Skye for strategic cyber risk management, advisory and decision making. We have implemented third-party risk management processes to manage the risks associated with reliance on vendors, critical IT service providers, and other third-parties that may lead to a service disruption or an adverse cybersecurity incident. This includes processes for performing due diligence upon on-boarding. The Audit Committee of the Board of Directors oversees our cybersecurity risk exposures and the steps taken by management to monitor and mitigate cybersecurity risks. The cybersecurity stakeholders, including management assigned with cybersecurity oversight responsibility and/or third-party consultants providing cyber risk services brief the Audit Committee on cyber vulnerabilities identified through the risk management process, the effectiveness of our cyber risk management program, and the emerging threat landscape and new cyber risks on at least an annual basis. This includes updates on our processes to prevent, detect, and mitigate cybersecurity incidents. In addition, cybersecurity risks are reviewed by our Board of Directors at least annually, as part of our corporate risk oversight processes. We face risks from cybersecurity threats that could have a material adverse effect on its business, financial condition, results of operations, cash flows or reputation. We acknowledge that the risk of cyber incidents is prevalent in the current threat landscape and that a future cyber incident may occur in the normal course of its business. However, prior cybersecurity incidents have not had a material adverse effect on our business, financial condition, results of operations, or cash flows. We proactively seek to detect and investigate unauthorized attempts and attacks against IT assets, data, and services , and to prevent their occurrence and recurrence where practicable through changes or updates to internal processes and tools and changes or updates to the our service delivery however, potential vulnerabilities to known or unknown threats will still remain and we may not be able to prevent security incidents in the future. Further, there is increasi ng regulation regarding responses to cybersecurity incidents, including reporting to regulators, investors, and additional stakeholders, which could subject us to additional liability and reputational harm. In response to such risks, we have implemented initiatives such as implementation of the cybersecurity risk assessment process and development of an incident response plan. See Item 1A. “Risk Factors” for more information on cybersecurity risks.

Company Information