KIORA PHARMACEUTICALS INC 10-K Cybersecurity GRC - 2024-03-25

Page last updated on April 11, 2024

KIORA PHARMACEUTICALS INC reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-03-25 07:01:38 EDT.

Filings

10-K filed on 2024-03-25

KIORA PHARMACEUTICALS INC filed an 10-K at 2024-03-25 07:01:38 EDT
Accession Number: 0001372514-24-000026

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBERSECURITY Overview Our IT and related systems are critical to the efficient operation of our business and essential to our ability to perform day to day processes. We face persistent security threats, including threats to our IT infrastructure and unlawful attempts to gain access to our confidential or otherwise proprietary information, or that of our employees, via phishing/malware campaigns and other cyberattack methods. Our security policies and processes are based on industry best practices and are revisited regularly to ensure their appropriateness based on risk, threats and current technological capabilities. We regularly assess our threat landscape and monitor our systems and other technical security controls, maintain information security policies and procedures, including a breach response plan, ensure maintenance of backup and protective systems, and engage with a Managed Service Provider who has a team of security personnel managing our efforts and initiatives. We review System and Organization Controls 1 (SOC 1 Type II) certifications where relevant from key third party partners and other service providers with access to information assets at least annually. We maintain Information Systems Incident Management Standards that are intended to ensure information security events and weaknesses associated with information systems are communicated and acted on in a timely manner. Our internal controls and procedures address cybersecurity and include processes intended to ensure that security breaches are reported to appropriate personnel and, if warranted, analyzed for potential disclosure. While we have experienced cybersecurity attacks, such attacks to date have not materially affected the Company or our business strategy, results of operations, or financial condition. From an operational perspective, we use vulnerability scanning tools to assess potential data security risks. We correlate the results and prioritize any key actions based on threat modeling analysis and monitor any such actions in-progress with the system owners based on assigned timelines for remediation. However, patch and vulnerability management, including for products and information assets, remains a complex and key risk that can lead to exploits, security breaches and service disruption. In addition, our online employees are required to participate in cyber, information security, and privacy training at least annually. We also maintain insurance coverage that is intended to address certain aspects of cybersecurity risks. To date, there have not been any cybersecurity threats that have materially affected the Company. 46 Table of Contents Governance Board Oversight of Cybersecurity Matters Assessing and managing information security matters is the responsibility of our full Board of Directors. The Board meets with the senior executives, specifically the Chief Development Officer, Chief Executive Officer, and Executive Vice President of Finance on at least an annual basis to discuss cybersecurity posture. The Board also periodically receives targeted briefings related to cybersecurity and reviews our incident response capabilities. Management of Cybersecurity Risks The senior executives work to protect our information systems from cybersecurity threats and to promptly assist in coordinating a response to any cybersecurity incidents in accordance with our cybersecurity incident response and recovery plans. We have engaged an IT Managed Service Provider who assists in the oversight of our corporate-wide data security, including developing, implementing and enforcing security policies to manage our overall cybersecurity risks. The senior executives regularly meet with our IT Managed Service Provider during the course of the year to review and discuss cybersecurity issues. Strategy Our Security Culture We protect our information assets and manage risk by promoting a culture that communicates security risks, designs secure IT systems and operates according to approved processes to reduce the likelihood and impact of security incidents. We achieve this objective by: Designing, implementing and maintaining solutions with appropriate security controls Sustaining solutions with required patching and vulnerability remediation Creating and executing controls in support of policy as well as regulatory compliance Ensuring that our policies, processes, practices and technologies proactively protect, shield, defend and remediate cyber threats and Delivering quality communications and annual training to stakeholders on cyber awareness and computing hygiene. We believe that the conduct of our employees is critical to the success of our information security. We keep our employees apprised of threats, risks and the part that they play in protecting both themselves and the company. We conduct periodic compliance training for our employees regarding the protection of sensitive information, which includes training intended to prevent the success of cyberattacks. We also conduct regular phishing simulations to increase employee awareness on how to spot phishing attempts, and what to do if they suspect an email to be a phishing attack. We execute penetration testing against our technical environment and processes, and continuously monitor our network and systems for signs of intrusion. We also retain consultants to enhance our penetration testing program with current trends and methodologies utilized against other companies, ensuring we are proactively reducing risk from emerging threats. We assess our service providers prior to allowing our information to be processed, stored or transmitted by third parties, and we include standardized contractual requirements in each contract where appropriate. We validate our service providers security via questionnaires, open-source intelligence and, where appropriate, SOC 1 Type II reports on financially significant third-party service providers. Our process also includes regular monitoring of risk related to third parties on a periodic basis or when services or product purchases expand beyond their original scope or intended use. 47 Table of Contents

Company Information