Celcuity Inc. 10-K Cybersecurity GRC - 2024-03-27

Page last updated on April 11, 2024

Celcuity Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-03-27 17:15:49 EDT.

Filings

10-K filed on 2024-03-27

Celcuity Inc. filed an 10-K at 2024-03-27 17:15:49 EDT
Accession Number: 0001493152-24-011549

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. Cybersecurity Risk Management and Strategy Our cybersecurity risk management process is a component of our overall approach to managing material risks that could impact our operations, including cybersecurity threats. In general, we seek to manage material internal and third-party cybersecurity risks through an approach that focuses on: (i) protecting information systems and the information residing therein (ii) identifying, preventing, and mitigating cybersecurity threats and (iii) assessing and responding to cybersecurity incidents when they occur. Maintaining, monitoring, and updating our information security program in an effort to ensure that it remains reasonable and appropriate in light of changes in the security threat landscape, available technology, and applicable legal and contractual requirements is an ongoing effort. We have implemented and maintain various processes, procedures, and measures to support our overall risk management strategy and to manage and mitigate the material risks posed by cybersecurity threats to our systems and data. With respect to cybersecurity, these measures include conducting risk assessments of our operations and using a risk register to assess identified risks developing business continuity, disaster recovery and incident response plans implementing technical safeguards and tools conducting ongoing cybersecurity awareness training and using contractual protections where appropriate. Our incident response plan outlines the procedures for reporting, investigating, and remediating cybersecurity incidents, including a framework to facilitate the escalation to our management team and board of cybersecurity incidents, so that our management team is alerted in a timely manner to material information that would be required to be disclosed or reported. Our Chief Financial Officer works with our IT Director regarding incident prevention and response, as well as disclosure determinations, and is accountable at the management level for our overall risk management program. She receives information about cybersecurity from our IT Director to consider as part of that program. Additionally, our Chief Executive Officer receives updates from the Chief Financial Officer and IT Director about significant threats and incidents involving cybersecurity and data protection. We use third-party service providers for a variety of services throughout our business, ranging from infrastructure support and maintenance, cybersecurity incident response, data protection and privacy compliance. In addition, we engage with contract research organizations, contract manufacturing organizations, distributors, and other supply chain resources. We believe that the use of external service providers improves our operational capabilities, and we have implemented a vendor qualification and management program that applies to our service providers that handle protected health information, personal information, or other information subject to protection under applicable privacy and data protection regulations. This program is designed to address and mitigate cybersecurity and data protection risks that arise from our use of such service providers. We do not have full visibility into the cybersecurity risk management processes of our service providers. We rely on our third-party service providers to provide notification of, and remediate, significant cybersecurity threats and cybersecurity incidents that jeopardize the confidentiality, integrity, or availability of information that we own or use. 46 We periodically evaluate, test, and update our policies, standards, and processes to mitigate cybersecurity threats and manage incidents effectively. These efforts include risk assessments, vulnerability assessments and remediations, phishing tests and employee education, and external scans. Additionally, to enhance our capabilities, we periodically engage third-party service providers, including cybersecurity consultants, to incorporate threat intelligence into our processes. As of the date of this Form 10-K, we are not aware of any risks from cybersecurity threats, including those resulting from any previous cybersecurity incidents experienced by us or, to our knowledge, by any of our third-party service providers, that have materially affected, or are reasonably likely to materially affect, our business strategy, results of operations, or financial condition. For further discussion of cybersecurity and data privacy risks that may materially affect the Company and how they may do so, see Risk Factors If our information technology systems or data, or those of third parties upon which we rely, are or were compromised, we could face clinical trial delays regulatory investigations or actions litigation fines and penalties disruptions of our business operations reputational harm and other adverse consequences, included in Item 1A of this Annual Report on Form 10-K. Governance The Board oversees Celcuity s management of risks arising from cybersecurity threats. Our management team is implementing processes for delivering periodic briefings to the Board on material cybersecurity risks that are pertinent to our business operations. Additionally, we have processes to promptly notify the Board of a significant cybersecurity incident and to inform the Board of remediation progress, as appropriate. The IT Director has overall responsibility for our information security program, with support from our management team and specialized partners in cybersecurity incident response and privacy. The process includes managing our incident response strategy. If a cybersecurity incident meets certain criteria, however, our CEO and CFO will become involved with the response strategy, including decisions about public disclosure and reporting. Our IT Director also coordinates with our CEO and CFO to determine strategic cybersecurity priorities and to establish compliance procedures. We believe our business leaders have the appropriate expertise, background and depth of experience to manage risks arising from cybersecurity threats. Our IT Director has served in various roles in information technology and information security for over a decade, which includes experience in the biotech, pharmaceutical and healthcare industries and experience in cybersecurity risk management and data privacy compliance. In the ordinary course of our business, we, and the third parties upon which we rely, collect, process, receive, generate, use, transfer, disclose, make accessible, protect, secure, dispose of, transmit, share and store (collectively, process ) proprietary, confidential, and sensitive information, including protected health information, personal information, credit card and other financial information, or other sensitive information owned or controlled by ourselves or our customers, payors, and other parties.

Company Information