AGILE THERAPEUTICS INC 10-K Cybersecurity GRC - 2024-03-28

Page last updated on April 11, 2024

AGILE THERAPEUTICS INC reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-03-28 16:31:37 EDT.

Filings

10-K filed on 2024-03-28

AGILE THERAPEUTICS INC filed an 10-K at 2024-03-28 16:31:37 EDT
Accession Number: 0001558370-24-004262

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C, Cybersecurity, in this Annual Report on Form 10-K for more information regarding our cybersecurity risk management, strategy, and governance. Our employees, independent contractors, principal investigators, CROs, manufacturers, consultants, commercial partners and vendors may engage in misconduct or other improper activities, including noncompliance with regulatory standards and requirements and insider trading, which could significantly harm our business. We are exposed to the risk that employees, independent contractors, principal investigators, CROs, manufacturers, consultants, commercial partners and vendors may engage in fraudulent or other illegal activity, fraud or other misconduct. Misconduct by these parties could include intentional, reckless or negligent conduct or disclosure of unauthorized activities to us that violates: (i) the law and regulations of the FDA and non-U.S. regulators, including those laws that require the reporting of true, complete and accurate information to the FDA and non-U.S. regulators, (ii) healthcare fraud and abuse laws and regulations in the United States and abroad and (iii) laws that require the true, complete and accurate reporting of financial information or data. In particular, sales, marketing and business arrangements in the healthcare industry are subject to extensive laws and regulations intended to prevent fraud, misconduct, kickbacks, self-dealing and other abusive practices. These laws and regulations may restrict or prohibit a wide range of pricing, discounting, marketing and promotion, sales commission, customer incentive programs and other business arrangements. Misconduct in violation of these laws may also involve the improper use of information obtained in the course of clinical trials, which could result in regulatory sanctions and serious harm to our reputation. We have adopted a code of conduct, but it is not always possible to identify and deter misconduct by our employees and other third parties, and the precautions we take to detect and prevent this activity may not be effective in controlling unknown or unmanaged risks or losses or in protecting us from governmental investigations or other actions or lawsuits stemming from a failure to comply with these laws or regulations. If any such actions are instituted against us, and we are not successful in defending ourselves or asserting our rights, those actions could have a significant impact on our business, including enforcement actions, contractual damages, reputational harm, diminished profits and future earnings and curtailment of our operations, any of which could adversely affect our ability to operate our business and our results of operations. 49 Table of Contents Our ability to use net operating loss and tax credit carryforwards and certain built-in losses to reduce future tax payments may be limited by provisions of the Internal Revenue Code of 1986, as amended, and may be subject to further limitation as a result of our initial public offering. Sections 382 and 383 of the Internal Revenue Code of 1986, as amended, or the Code, contain rules that limit the ability of a company that undergoes an ownership change, which is generally any change in ownership of more than 50% of its stock over a three-year period, to utilize its net operating loss and tax credit carryforwards and certain built-in losses recognized in years after the ownership change. These rules generally operate by focusing on ownership changes involving stockholders owning, directly or indirectly, 5% or more of the stock of a company and any change in ownership arising from a new issuance of stock by the company. Generally, if an ownership change occurs, the yearly taxable income limitation on the use of net operating loss and tax credit carryforwards and certain built-in losses is equal to the product of the applicable long-term tax-exempt rate and the value of the company s stock immediately before the ownership change. We may be unable to offset future taxable income, if any, with losses, or our tax liability with credits, before such losses and credits expire and therefore would incur larger federal income tax liability. Our net operating loss carryforwards arising in taxable years ending on or prior to December 31, 2017 will expire between 2024 and 2037 if we have not used them. Net operating loss carryforwards arising in taxable years ending after December 31, 2017 are no longer subject to expiration under the Code. In addition, it is possible that the transactions relating to our initial public offering or subsequent public offerings, either on a standalone basis or when combined with future transactions, have caused us to undergo one or more additional ownership changes. In that event, we generally would not be able to use our pre-change loss or credit carryovers or certain built-in losses prior to such ownership change to offset future taxable income in excess of the annual limitations imposed by Sections 382 and 383 of the Code. We have not completed a study to assess whether an ownership change has occurred, or whether there have been multiple ownership changes since our inception. Risks Related to Ownership of Our Common Stock We are now listed on the OTC markets, which could affect our common stock’s market price and liquidity and reduce our ability to raise capital. On March 22, 2024, we received notice from The Nasdaq Stock Market LLC that the Nasdaq Hearings Panel has determined to delist our common stock. Suspension of trading in our common stock was effective at the open of trading on March 26, 2024. Following the delisting of our common stock from the Nasdaq Capital Market, we will continue to be a reporting company under the Securities Exchange Act of 1934. Our common stock commenced trading on the OTC Markets Group ( OTC ) platform at the open of trading on March 26, 2024 under the symbol AGRX. We have applied for trading on the OTC-QB market. We have a period of 15 days from the date of the notice letter to submit a written request for a review of the Nasdaq Hearings Panel s delisting determination by the Nasdaq Listing and Hearing Review Council (the Listing Council ). We do not plan to appeal the Nasdaq Hearings Panel s determination and expect that a Form 25-NSE will be filed with the Securities and Exchange Commission ( SEC ), which would remove our common stock from listing and registration on Nasdaq. Trading of our common stock on the OTC could make it more difficult to buy or sell our securities and to obtain accurate quotations, and the price of our securities could suffer a material decline. Delisting from Nasdaq could also impair our ability to raise capital. Delisting by Nasdaq could negatively impact the Company as it would likely reduce the liquidity and market price of the Company s common stock, reduce the number of investors willing to hold or acquire the Company s common stock, negatively impact the Company s ability to access equity markets and obtain financing, and impair the Company s ability to provide equity incentives. 50 Table of Contents We expect that our stock price may fluctuate significantly. The trading price of our common stock is highly volatile and is subject to wide fluctuations in response to various factors, some of which are beyond our control, including limited trading volume. In addition to the factors discussed in this Risk Factors section and elsewhere in this annual report, these factors include: Actual or anticipated fluctuations in our financial condition and operating results Actual or anticipated changes in our growth rate relative to our competitors Announcements by us, our collaborators or our competitors of significant acquisitions, strategic partnerships, joint ventures, collaborations or capital commitments Failure to meet or exceed financial estimates and projections of the investment community or that we provide to the public Issuance of new or updated research or reports by securities analysts, including reports that downgrade our common stock, issue unfavorable commentary, or analyst decisions to stop reporting on us or our business Fluctuations in the valuation of companies perceived by investors to be comparable to us Share price and volume fluctuations attributable to inconsistent trading volume levels of our shares Announcement or expectation of additional debt or equity financing efforts Sales of our common stock by us, our insiders or our other stockholders and General economic and market conditions. These and other market and industry factors may cause the market price and demand for our common stock to fluctuate substantially, regardless of our actual operating performance, which may limit or prevent investors from readily selling their shares of common stock and may otherwise negatively affect the liquidity of our common stock. In addition, the stock market in general, and the OTC and the stock prices of pharmaceutical companies in particular, have experienced extreme price and volume fluctuations that have often been unrelated or disproportionate to the operating performance of these companies. Raising additional capital may cause dilution to our existing stockholders or restrict our operations. We will need to seek additional capital through a combination of private and public equity offerings, debt financings and strategic collaborations. The sale of additional equity or convertible debt securities could result in the issuance of additional shares of our capital stock and could result in dilution to our stockholders. The incurrence of indebtedness would result in increased fixed payment obligations and could also result in certain restrictive covenants, such as limitations on our ability to incur additional debt, limitations on our ability to acquire or license intellectual property rights and other operating restrictions that could adversely impact our ability to conduct our business. We cannot guarantee that future financing will be available in sufficient amounts or on terms acceptable to us, if at all. If we are unable to raise additional capital in sufficient amounts or on terms acceptable to us, we will be prevented from pursuing research and development efforts and could be forced to limit funding of our efforts to commercialize Twirla. This could harm our business, operating results and financial condition and cause the price of our common stock to fall. We may be subject to securities litigation, which is expensive and could divert management attention. The market price of our common stock may be volatile, and in the past companies that have experienced volatility in the market price of their stock have been subject to securities class action litigation. We may be the target of this type of litigation, which could result in substantial costs and diversion of management s attention and resources, which could adversely impact our business. Any adverse determination in litigation could also subject us to significant liabilities. 51 Table of Contents We have never paid monetary dividends on our common stock, and we do not anticipate paying any dividends in the foreseeable future. Consequently, any gains from an investment in our common stock will likely depend on whether the price of our common stock increases. We have not paid monetary dividends on our common stock to date, and we currently intend to retain our future earnings, if any, to fund the development and growth of our business. As a result, capital appreciation, if any, of our common stock will be your sole source of gain for the foreseeable future. Anti-takeover provisions in our organizational documents and Delaware law may discourage or prevent a change of control, even if an acquisition would be beneficial to our stockholders, which could affect our stock price adversely and prevent attempts by our stockholders to replace or remove our current management. Our amended and restated certificate of incorporation and amended and restated bylaws contain provisions that could delay or prevent a change of control of our company or changes in our board of directors that our stockholders might consider favorable. Some of these provisions: Authorize the issuance of preferred stock which can be created and issued by the board of directors without prior stockholder approval, with rights senior to those of our common stock Provide for a classified board of directors, with each director serving a staggered three-year term Prohibit our stockholders from filling board vacancies, calling special stockholder meetings or taking action by written consent Provide for the removal of a director only with cause and by the affirmative vote of the holders of 75% or more of the shares then entitled to vote at an election of our directors Define the number of holders of the shares outstanding of our capital stock needed to constitute a quorum for the transaction of business at the meeting of stockholders as one-third Require advance written notice of stockholder proposals and director nominations and Require any action instituted against our officers or directors in connection with their service to the Company to be brought in the state of Delaware. In addition, we are subject to the provisions of Section 203 of the Delaware General Corporation Law, which may prohibit certain business combinations with stockholders owning 15% or more of our outstanding voting stock. These and other provisions in our amended and restated certificate of incorporation, amended and restated bylaws and Delaware law could make it more difficult for stockholders or potential acquirers to obtain control of our board of directors or initiate actions that are opposed by our then-current board of directors, including a merger, tender offer or proxy contest involving our company. This provision could have the effect of delaying or preventing a change of control, whether or not it is desired by or beneficial to our stockholders. Any delay or prevention of a change of control transaction or changes in our board of directors could cause the market price of our common stock to decline. Item 1B. Unresolved Staff Comments None. Item 1C. Cybersecurity We incorporate assessment of our cybersecurity risk management and strategy into our overall management of enterprise risk. The Company evaluates cybersecurity threat risk areas across its business including, but not limited to, operational risk, fraud, harm to employees or third parties, patient safety and violation of privacy or security-related laws or regulations. The Company has a Compliance Committee that is responsible for overseeing the enterprise risk management process. As part of our efforts to mitigate cybersecurity threats, we have implemented cybersecurity 52 Table of Contents processes, technologies, and controls designed to effectively identify and manage potential material cybersecurity threats. Assessment, Identification and Risk Management of Cybersecurity Threats We employ a range of tools and services, including regular network and endpoint monitoring, managed detection and response, system patching, managed security services, server and endpoint scheduled backups, awareness training and testing, periodic vulnerability assessment and penetration testing, to update our ongoing risk management and strategy. Furthermore, we have a cybersecurity assessment process that is conducted regularly with our current information technology (IT) services provider. -We proactively engage with our IT services provider as part of our continuing efforts to evaluate and enhance the effectiveness of our information security policies and procedures. We also have used an additional third-party services provider to perform internal and external penetration testing and social engineering employee challenge testing. Governance and Oversight of Cybersecurity Threats Our information security program is managed by our Chief Corporate Planning and Supply Chain Officer (CCPO), who has more than ten years experience managing IT services for Agile and possesses the required subject matter expertise, skills, and experience expected of an individual assigned to these duties. Our information security team, which includes the CCPO as well as additional professionals from our IT services provider, is responsible for leading enterprise-wide cybersecurity threat strategy, policy, standards, and processes. Our CCPO provides regular updates to our Chief Executive Officer and other members of management regarding cybersecurity threats and participates in the quarterly Compliance Committee meetings. The Audit Committee is responsible for oversight of the Company s cybersecurity risk exposure. The CCPO provides reports to the Audit Committee and Board at least annually, which include updates on the Company s cybersecurity risks and threats, the status of projects to strengthen our information security systems, assessments of the information security program, and the emerging cybersecurity threat landscape. Incident Response and Reporting The Company has a cybersecurity policy that governs the corporate response to and communication of security incidents affecting the Company s information technology system and stresses the need for fast response times and continuous improvement in security measures. The policy requires immediate reporting of any observed security incident to the CCPO, the Company s third-party IT services provider, Chief Financial Officer, and Chief Executive Officer. The CCPO, working with our IT services provider and any other third parties required, is responsible for taking steps to minimize loss and destruction, identify and correct any weakness that was exploited, restoring IT services and continuing to communicate to senior management and the Board on the event. The CCPO is authorized to employ any third-party service providers as necessary. The policy also requires the conduct of post-incident analyses, reporting on the incident, identification of lessons learned and a close-out report. Oversight of Third-Party Providers Prior to doing business with third-party providers or suppliers with access to our network, systems or data or a third party providing cybersecurity support or infrastructure, we assess and evaluate their cybersecurity preparedness. Our assessment of cybersecurity threats associated with our third-party providers is part of our overall cybersecurity risk management framework. Impact of Cybersecurity Threat s on our Business Although risks from cybersecurity threats did not, to our knowledge, materially affect our business strategy, results of operations, or financial condition for the fiscal year ended December 31, 2023, we may not be successful in preventing or mitigating a cybersecurity incident that could have a material adverse effect on us. See Part I, Item 1, Business, in this Annual Report for a discussion of notification obligations and potential liability around data security incidents, including cyberattacks. 53 Table of Contents
Item 1C. Cybersecurity We incorporate assessment of our cybersecurity risk management and strategy into our overall management of enterprise risk. The Company evaluates cybersecurity threat risk areas across its business including, but not limited to, operational risk, fraud, harm to employees or third parties, patient safety and violation of privacy or security-related laws or regulations. The Company has a Compliance Committee that is responsible for overseeing the enterprise risk management process. As part of our efforts to mitigate cybersecurity threats, we have implemented cybersecurity 52 Table of Contents processes, technologies, and controls designed to effectively identify and manage potential material cybersecurity threats. Assessment, Identification and Risk Management of Cybersecurity Threats We employ a range of tools and services, including regular network and endpoint monitoring, managed detection and response, system patching, managed security services, server and endpoint scheduled backups, awareness training and testing, periodic vulnerability assessment and penetration testing, to update our ongoing risk management and strategy. Furthermore, we have a cybersecurity assessment process that is conducted regularly with our current information technology (IT) services provider. -We proactively engage with our IT services provider as part of our continuing efforts to evaluate and enhance the effectiveness of our information security policies and procedures. We also have used an additional third-party services provider to perform internal and external penetration testing and social engineering employee challenge testing. Governance and Oversight of Cybersecurity Threats Our information security program is managed by our Chief Corporate Planning and Supply Chain Officer (CCPO), who has more than ten years experience managing IT services for Agile and possesses the required subject matter expertise, skills, and experience expected of an individual assigned to these duties. Our information security team, which includes the CCPO as well as additional professionals from our IT services provider, is responsible for leading enterprise-wide cybersecurity threat strategy, policy, standards, and processes. Our CCPO provides regular updates to our Chief Executive Officer and other members of management regarding cybersecurity threats and participates in the quarterly Compliance Committee meetings. The Audit Committee is responsible for oversight of the Company s cybersecurity risk exposure. The CCPO provides reports to the Audit Committee and Board at least annually, which include updates on the Company s cybersecurity risks and threats, the status of projects to strengthen our information security systems, assessments of the information security program, and the emerging cybersecurity threat landscape. Incident Response and Reporting The Company has a cybersecurity policy that governs the corporate response to and communication of security incidents affecting the Company s information technology system and stresses the need for fast response times and continuous improvement in security measures. The policy requires immediate reporting of any observed security incident to the CCPO, the Company s third-party IT services provider, Chief Financial Officer, and Chief Executive Officer. The CCPO, working with our IT services provider and any other third parties required, is responsible for taking steps to minimize loss and destruction, identify and correct any weakness that was exploited, restoring IT services and continuing to communicate to senior management and the Board on the event. The CCPO is authorized to employ any third-party service providers as necessary. The policy also requires the conduct of post-incident analyses, reporting on the incident, identification of lessons learned and a close-out report. Oversight of Third-Party Providers Prior to doing business with third-party providers or suppliers with access to our network, systems or data or a third party providing cybersecurity support or infrastructure, we assess and evaluate their cybersecurity preparedness. Our assessment of cybersecurity threats associated with our third-party providers is part of our overall cybersecurity risk management framework. Impact of Cybersecurity Threat s on our Business Although risks from cybersecurity threats did not, to our knowledge, materially affect our business strategy, results of operations, or financial condition for the fiscal year ended December 31, 2023, we may not be successful in preventing or mitigating a cybersecurity incident that could have a material adverse effect on us. See Part I, Item 1, Business, in this Annual Report for a discussion of notification obligations and potential liability around data security incidents, including cyberattacks. 53 Table of Contents

Company Information