Stoke Therapeutics, Inc. 10-K Cybersecurity GRC - 2024-03-25

Page last updated on April 11, 2024

Stoke Therapeutics, Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-03-25 16:07:42 EDT.

Filings

10-K filed on 2024-03-25

Stoke Therapeutics, Inc. filed an 10-K at 2024-03-25 16:07:42 EDT
Accession Number: 0000950170-24-035912

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity We recognize the critical importance of maintaining the trust and confidence of our all of our stakeholders. Our business increasingly depends on the efficient and uninterrupted operation of our information technology systems and those of our third-party contract research organizations, contract manufacturing organizations, or other vendors, contractors or consultants. Our board of directors and our management team are actively involved in the oversight of risk management, and cybersecurity represents an important component of our overall approach to compliance and risk management. Our cybersecurity policies, standards, processes and practices are integrated into our approach to compliance and risk management and follow recognized industry best practices. In general, we seek to address cybersecurity risks through a cross-functional approach that is focused on preserving the confidentiality, integrity, and availability of the information that we collect, process, and store by identifying, preventing and mitigating cybersecurity threats and effectively responding to cybersecurity incidents when they occur. Cybersecurity Risk Mitigation As one of the critical elements of our overall approach to compliance and risk management, our cybersecurity program is focused on the following key areas: Confidentiality and Integrity: To ensure the confidentiality and integrity of data and systems, we leverage encryption of data during transfer and at rest whenever possible and as necessary, least privileged access when granting access, strong passwords and two-factor authentication, and version-controlled file systems. Availability: To preserve the availability of data and systems, we perform daily backups with some occurring multiple times a day. Additionally, to mitigate ransomware, data is stored in version-controlled file systems. When implementing systems, architectural patterns for redundancy and failover are used. Other Technical Safeguards: Additional technical safeguards that are designed to protect our information systems from cybersecurity threats include endpoint tools that detect and prevent threats on a computer and monitor for vulnerabilities, next generation firewalls, intrusion prevention and detection systems, and cybersecurity testing of our systems. Monitoring: We maintain a security operations center that monitors our systems and networks for anomalous activity. Additionally, our information technology ( IT ) team actively monitors different cybersecurity threat intelligence sources and responds accordingly based on risk. Education and Awareness: We provide regular, mandatory security awareness training for personnel to educate our employees on cybersecurity threats and to communicate our evolving information security policies, standards, processes, and practices. In addition to the training, we periodically test employees with phishing emails. Collaborative Approach: We have implemented a cross-functional approach to identifying, preventing, and mitigating cybersecurity threats and incidents, while also implementing controls and procedures that provide for the prompt escalation of certain cybersecurity incidents so that decisions regarding the public disclosure and reporting of such incidents can be made by management in a timely manner. Incident Response and Recovery Planning: We have established and maintain comprehensive incident response and recovery plans to address our response to a cybersecurity incident. 79 Third-Party Risk Management: We maintain a risk-based approach to identifying cybersecurity risks presented by third parties, including vendors, service providers and other external users of our systems, as well as the systems of third parties that could adversely impact our business in the event of a cybersecurity incident affecting those third-party systems. Policies and Processes: We engage in the periodic assessment of our policies, standards, processes, and practices that are designed to address cybersecurity threats and incidents. These efforts include a wide range of activities, including audits, penetration testing and other exercises focused on evaluating the effectiveness of our cybersecurity measures. The results of such exercises, if material, are reported to the audit committee of our board and our board of directors, and we adjust our cybersecurity policies, standards, processes and practices as necessary based on the information provided by these assessments, audits and reviews. Governance Our board of directors, in coordination with our audit committee, oversees our risk management process. Our audit committee receives presentations and reports on cybersecurity risks, which address a wide range of topics including recent developments, evolving standards, vulnerability assessments, the threat environment, technological trends and information security considerations arising with respect to our peers and third parties. Our board of directors and audit committee also receive prompt and timely information regarding any cybersecurity incident that meets established reporting thresholds, as well as ongoing updates regarding any such incident until it has been addressed. On a periodic basis, our board of directors and audit committee discuss our approach to cybersecurity risk management with our head of IT. Our head of IT, in coordination and with support from our executive management team, works collaboratively across the company to implement a program designed to protect our information systems from cybersecurity threats and to promptly respond to any cybersecurity incidents in accordance with our incident response and recovery plans. Through ongoing communications with our entire employee basis and appropriate third-party contractors, the head of IT and the management team monitor the prevention, detection, mitigation and remediation of cybersecurity threats and incidents in real time and report such threats and incidents to our audit committee when appropriate. Our head of IT has over 20 years of experience building and managing information systems with cybersecurity principles, such as least privileged access, patching and vulnerability management, encryption, etc., as part of a foundation to ensure confidentiality, integrity, and availability. Our head of IT has also served in consulting and architecture roles for cybersecurity and compliance projects ranging from design and auditing systems, red team testing, to compliance audits and remediation for the Sarbanes-Oxley Act of 2002, as amended, and the payment card industry data security standards. No cybersecurity threats, including as a result of any previous cybersecurity incidents, have materially affected or are reasonably likely to affect us, including our business strategy, results of operations or financial condition 80

Company Information