Vaxxinity, Inc. 10-K Cybersecurity GRC - 2024-03-27

Page last updated on April 11, 2024

Vaxxinity, Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-03-27 16:18:31 EDT.

Filings

10-K filed on 2024-03-27

Vaxxinity, Inc. filed an 10-K at 2024-03-27 16:18:31 EDT
Accession Number: 0001562762-24-000071

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity Risk Management. At Vaxxinity, cybersecurity risk management is an integral part of our IT strategy. Our cybersecurity risk management program is based on standard industry practices and follows the National Institute of Standards and Technology (NIST) framework, which provides steps for identifying system and operational vulnerabilities, protecting systems, detecting intrusions and malicious behavior, as well as for planning a strong response and recovery. This methodology and our smaller functional scope allow us to effectively address cybersecurity threats and incidents. 93 A majority of our IT systems are built on services provided by third parties. For example, we leverage commonly used foundational technologies provided by third parties, such as secure messaging gateways, enforced drive encryption and multi-factor authentication. Our choice of tools is shaped by these providers reputations and the outcomes of our internal evaluation process. We have implemented a risk management process designed to mitigate cybersecurity risks that arise from utilizing services provided by third parties and regularly review the performance of these vendors and monitor for any adverse developments which may impact our own security posture. Our control over and ability to monitor the security posture of third parties with whom we do business remains limited and there can be no assurance that we can prevent, mitigate or remediate the risk of any compromise or failure in the security infrastructure owned or controlled by such third parties. Additionally, any contractual protections with such third parties, including our right to indemnification, if any at all, may be limited or insufficient to prevent a negative impact on our business from any such compromise or failure. Employees and contractors are given cybersecurity awareness training as part of their on-boarding process. We also maintain an organizational IT and Security Policy which includes an Acceptable Use Policy that provides detailed guidelines on proper resource use and personal behavior. We require written acknowledgment of the latter document by all employees and contractors. All policies are regularly reviewed and updated to keep in line with industry developments and organizational changes. Employees and contractors across all departments are encouraged to report any concerns or suspicions to the IT department, who then investigates and recommends appropriate actions. Our board of directors has overall responsibility for oversight of our risk management policies and procedures. Its audit committee (the Audit Committee ) is responsible for ensuring that management has processes in place designed to identify and evaluate cybersecurity risks to which we are exposed and implement processes and programs to manage them and mitigate and remediate any incidents. The audit committee also reports material cybersecurity risks to our full board of directors on an as-needed basis, but no less than annually. Routine oversight of cybersecurity risk management is delegated by the Audit Committee to our Chief Legal, Compliance and Administrative Officer. The IT department, reporting directly to this Officer, is responsible for managing the cybersecurity risk management program and is responsible for identifying, considering and assessing potentially material cybersecurity risks on an ongoing basis, establishing processes to ensure that potential cybersecurity risk exposures are monitored, putting in place appropriate mitigation measures and reporting to executive leadership about evolving issues. The Chief Legal, Compliance and Administrative Officer, in turn, updates the Audit Committee and board of directors of any related incidents or threats that are being addressed. The IT department’s personnel have extensive backgrounds in IT operations in similar environments and each team member has had experience managing cybersecurity issues. We have access to external advisors in connection with our cybersecurity risk management program should additional expertise be required to manage cybersecurity incidents or risk. In 2023, we did not identify any cybersecurity threats or incidents that materially affected or are reasonably likely to materially affect our business strategy, results of operations, or financial condition. However, despite our efforts, we cannot eliminate all risks from cybersecurity threats or incidents or provide assurances that we have not experienced an undetected cybersecurity incident. For more information about these risks, please see Risk Factors Risks Related to Our Business and Industry in this annual report on Form 10-K.

Company Information