Gain Therapeutics, Inc. 10-K Cybersecurity GRC - 2024-03-26

Page last updated on April 11, 2024

Gain Therapeutics, Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-03-26 16:05:45 EDT.

Filings

10-K filed on 2024-03-26

Gain Therapeutics, Inc. filed an 10-K at 2024-03-26 16:05:45 EDT
Accession Number: 0001558370-24-003943

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBERSECURITY Risk Management and Strategy Management of cybersecurity risks is a component of our overall risk management strategy. We rely on information technology, communication networks, enterprise applications, accounting and financial platforms, and related systems in the operation of its business. Our operations also rely on the secure collection, storage, transmission and processing of proprietary, confidential and sensitive data. Our cybersecurity risk management strategy is designed to support us in identifying, protecting, detecting, responding to, and recovering from cybersecurity threats and incidents with the intention of protecting the confidentiality, integrity, and availability of such systems and data. We have implemented several processes with the assistance of third parties that we engage to help us manage our overall information technology function. These include certain processes for assessing, identifying and managing cybersecurity risks and are designed to help protect our information assets and operations from internal and external cyber threats, and to protect employee, collaborator and patient information from unauthorized access or attack, as well as to secure our networks and systems. Such processes include physical, procedural and technical safeguards, response plans, regular tests on our systems, and periodic review of our policies and procedures to identify risks and refine our practices. We engage certain external parties, including consultants, computer security firms and governance experts, to enhance our cybersecurity oversight and to gain valuable insights into the ever-evolving cybersecurity landscape. Our use of third parties in the conduct of our business is significant (including suppliers, CROs, CDMOs, and other service providers, and a cybersecurity incident at third party could materially adversely impact us. We assess third party cybersecurity controls prior to engaging such third parties and include security and privacy addendums to our contracts where applicable. We also require that third party service providers or partners report cybersecurity incidents to us so that we can assess the impact of the incident on us. We do not believe that there are currently any known risks from cybersecurity threats that are reasonably likely to materially affect us or our business strategy, results of operations or financial condition. During the reporting period we have not experienced any material cybersecurity incidents nor any series of immaterial cybersecurity incidents that would require to be disclosed in this year end report. Governance Our third party service providers report to our Principal Financial Officer who is responsible for the management of the Cybersecurity program. The Principal Financial Officer on a regular basis reports to the Audit Committee. The Audit Committee of our Board of Directors provides direct oversight over cybersecurity risk, and provides updates to the Board of Directors regarding such oversight. The Audit Committee receives periodic updates 73 Table of Contents from management regarding cybersecurity matters, and is notified between such updates regarding significant new cybersecurity threats or incidents. In an effort to deter and detect cyber threats, we provide all employees, including part-time and temporary employees, with a data protection, cybersecurity and incident response and prevention material, which educates employees on the importance of reporting all incidents immediately. We also use technology-based tools that are designed to mitigate cybersecurity risks. Cybersecurity Incident Response Plan We have established a Cybersecurity Incident Response Policy ( CIRP ), which details the steps to be followed to properly respond to, contain, and remediate a cybersecurity incident. The CIRP provides a process for escalating certain cybersecurity incidents to the Board and members of management to facilitate management-level consideration as to whether a cybersecurity incident may be material to the Company and whether public disclosure of the incident is required.

Company Information