Orchestra BioMed Holdings, Inc. 10-K Cybersecurity GRC - 2024-03-27

Page last updated on April 11, 2024

Orchestra BioMed Holdings, Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-03-27 16:06:02 EDT.

Filings

10-K filed on 2024-03-27

Orchestra BioMed Holdings, Inc. filed an 10-K at 2024-03-27 16:06:02 EDT
Accession Number: 0001558370-24-004083

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity Orchestra BioMed, ( Orchestra or Company ) maintains a cyber risk management program designed to identify, assess, manage, mitigate, and respond to cybersecurity threats. This program, in conjunction with the Company s enterprise risk management assessment processes, addresses cybersecurity risks to the corporate information technology environment including systems, hardware, software, data, people, and processes. Cybersecurity Risk Management The underlying processes and controls of cyber risk management program incorporate recognized best practices and standards for cybersecurity and information technology, including the National Institute of Standards and Technology ( NIST ) Cybersecurity Framework ( CSF ). Orchestra has an annual assessment performed by a third-party specialist of the Company s cyber risk management program against the NIST CSF. The annual risk assessment identifies, quantifies, and categorizes material cyber risks. In addition, the Company, in conjunction with the third-party cyber risk management specialists, develops a risk mitigation plan to address such risks, and where necessary, remediate potential vulnerabilities identified through the annual assessment process. In addition, Orchestra maintains policies over areas such as information security, IT change and configuration management, acceptable use, access on/offboarding, and data backup and recovery to help govern the processes put in place by management designed to protect Orchestra s IT assets, data, and services from threats and vulnerabilities. Orchestra partners with industry recognized cybersecurity providers leveraging third-party technology and expertise. Cybersecurity partners to the Company, including consultants and other third-party service providers, are a key part of Orchestra s cybersecurity risk management strategy and infrastructure and provide services including maintenance of an IT assets inventory, periodic vulnerability testing, identity access management controls, including restricted access of privileged accounts, physical security measures at Company facilities, information protection/detection systems including 127 Table of Contents maintenance of firewalls and anti-malware tools, network and traffic monitoring and automated alerting, ongoing cybersecurity user awareness training, remote monitoring and management, capacity management, industry-standard encryption protocols, formalized processes over asset and data destruction, formalized change management processes, data backups management, infrastructure maintenance, incident response, cybersecurity strategy, and cyber risk advisory, and assessment. In the event of an incident, the Cyber Risk Committee would be notified and appropriate action would be taken to resolve the incident, including notifying senior management and, as appropriate, the Board. Orchestra has implemented third-party risk management processes to manage the risks associated with reliance on vendors, critical service providers, and other third-parties that may lead to a service disruption or an adverse cybersecurity incident. This includes assessment of vendors during the selection/onboarding process, internal controls and security standards of vendors, compliance with service level agreements, review of SOC 1 reports on an annual basis and a regular review of vendor contracts. Governance Orchestra s Cyber Risk Committee, in conjunction with third-party IT and cybersecurity service providers is responsible for oversight and administration of Orchestra s cyber risk management program, and for informing senior management, the Board, and other relevant stakeholders regarding the prevention, detection, mitigation, and remediation of cybersecurity incidents. The Company s management team has prior experience selecting, deploying, and overseeing cybersecurity technologies, initiatives, and processes via selection of strategic third-party partners (such as the Company s virtual Chief Information Security Officer) , and relies on threat intelligence as well as other information obtained from governmental, public, or private sources, including external consultants engaged by Orchestra for strategic cyber risk management, advisory and decision making. The Audit Committee of the Board of Directors oversees Orchestra s cybersecurity risk exposures and the steps taken by management to monitor and mitigate cybersecurity risks. Members of the Cyber Risk Committee brief the Audit Committee on cyber vulnerabilities identified through the risk management process, the effectiveness of Orchestra s cyber risk management program, and the emerging threat landscape and new cyber risks on at least an annual basis. This includes reporting cybersecurity incidents and updates on Orchestra s processes to prevent, detect, and mitigate cybersecurity incidents. In addition, cybersecurity risks are reviewed by Orchestra s Board of Directors, at least annually, as part of the Company s corporate risk oversight processes. Orchestra faces risks from cybersecurity threats that could have a material adverse effect on its business, financial condition, results of operations, cash flows or reputation. Orchestra acknowledges that the risk of cyber incident is prevalent in the current threat landscape and that a future cyber incident may occur in the normal course of its business. However, prior cybersecurity incidents have not had a material adverse effect on Orchestra s business, financial condition, results of operations, or cash flows. The Company proactively seeks to detect and investigate unauthorized attempts and attacks against IT assets, data, and services, and to prevent their occurrence and recurrence where practicable through changes or updates to internal processes and tools and changes or updates to the Company s service delivery however, potential vulnerabilities to known or unknown threats will remain. Further, there is increasing regulation regarding responses to cybersecurity incidents, including reporting to regulators, investors, and additional stakeholders, which could subject the Company to additional liability and reputational harm. In response to such risks, the Company has implemented initiatives such as implementation of the cybersecurity risk assessment process and development of an incident response plan. See Our information technology systems, or those of any of our CROs, manufacturers, other contractors, consultants, collaborators or potential future collaborators, may fail or suffer security or data privacy breaches or other unauthorized or improper access to, use of, or destruction of our proprietary or confidential data, employee data, or personal data, which could result in additional costs, loss of revenue, significant liabilities, harm to our brand and material disruption of our operations in Item 1A (Risk Factors) for more information on cybersecurity risks.

Company Information