GLYCOMIMETICS INC 10-K Cybersecurity GRC - 2024-03-27

Page last updated on April 11, 2024

GLYCOMIMETICS INC reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-03-27 08:25:57 EDT.

Filings

10-K filed on 2024-03-27

GLYCOMIMETICS INC filed an 10-K at 2024-03-27 08:25:57 EDT
Accession Number: 0001558370-24-004013

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBERSECURITY Risk management and strategy We operate in the biopharmaceutical sector, which is a highly regulated sector subject to various cybersecurity risks that could adversely affect our business, financial condition, and results of operations, including intellectual property theft fraud extortion harm to employees or customers disruption of our clinical trials, manufacturing or supply chain violation of privacy laws and other litigation and legal risk and reputational risk. We have implemented and maintain various information security processes designed to identify, assess and manage material risks from cybersecurity threats to our critical computer networks, third party hosted services, communications systems, hardware and software, and our critical data, including clinical trial data, intellectual property, confidential information that is proprietary, strategic, financial or competitive in nature, and personal data ( Information Systems and Data ). Our Information Technology personnel help identify, assess and manage cybersecurity threats and risks that could affect our business and Information Systems and Data, and support our efforts to identify and assess risks from cybersecurity threats by monitoring and evaluating our threat environment. We use various methods and tools to identify, assess and manage our cybersecurity threats and risks, including, for example, automated tools, industry reports about cybersecurity risks and threats to our industry, third party threat assessments, and penetration testing. In addition, we utilize encryption for certain data at rest and maintain certain network security controls, such as firewalls and virtual private networks. We also conduct monitoring for certain systems and access controls in place for certain environments and systems, as well as asset management, tracking and disposal associated with onboarding and offboarding of personnel. We maintain cybersecurity insurance. Depending on the environment, we implement and maintain various technical, physical, and organizational measures, processes, standards and policies designed to manage and mitigate material risks from cybersecurity threats to our Information Systems and Data. For example, we have implemented and maintain an incident response plan, and we 54 Table of Contents utilize automated tools designed to help maintain email security. We also have certain system and password policies for computer systems managed and controlled by us, and procedures for incident management to address incidents that could impact subject safety, product quality, and data integrity in relation to our clinical trials and product development. We also periodically conduct cybersecurity incident tabletop training exercises. Our assessment and management of material risks from cybersecurity threats is integrated into various aspects of our overall risk management process. For example, our head of Information Technology evaluates material risks from cybersecurity threats and reports periodically to our Board of Directors Audit Committee, which committee is responsible for evaluation of our overall enterprise risk. We use third-party service providers to assist us from time to time to identify, assess, and manage material risks from cybersecurity threats, including, for example, cybersecurity software providers, penetration testing firms, auditors, and professional services firms, including legal counsel. These relationships enable us to leverage specialized knowledge and insights, enabling our cybersecurity strategies and processes to remain consistent with industry best practices. We rely on third-party service providers to perform a variety of functions throughout our business, such as contract manufacturing organizations, contract research organizations, suppliers and consultants. We also rely on third parties who operate a cloud-based infrastructure for our information technology systems. We conduct quality audits of certain regulated vendors, which typically include an assessment of such vendor s information technology systems, and we may also impose appropriate contractual obligations on certain vendors pertaining to information security. Depending on the nature of the services provided, the sensitivity of the Information Systems and Data at issue, and the identity of the provider, our efforts may involve different levels of assessment designed to help identify cybersecurity risks associated with a provider and impose contractual obligations related to cybersecurity on the provider. For a description of the risks from cybersecurity threats that may materially affect us and how they may do so, see our risk factors under Part 1. Item 1A. Risk Factors in this Annual Report on Form 10-K. Risk Management Personnel Our Information Technology personnel responsible for cybersecurity risk assessment and management processes are managed by certain members of our executive management, including our Chief Financial Officer. Together with our executive management, our Information Technology personnel are responsible for hiring appropriate personnel, helping to integrate cybersecurity risk considerations into our overall risk management strategy, and communicating key priorities to relevant personnel. Governance Our Board of Directors addresses our cybersecurity risk management as part of its general oversight function. The Audit Committee of our Board is responsible for overseeing our cybersecurity risk management processes, including oversight and mitigation of risks from cybersecurity threats. Our Audit Committee, General Counsel, and other members of our executive management, as appropriate, receive periodic reports from our Chief Financial Officer concerning significant cybersecurity threats and risk and the processes we have implemented to address them. The Audit Committee also receives various periodic presentations related to cybersecurity threats, risk and mitigation.

Company Information