Biomea Fusion, Inc. 10-K Cybersecurity GRC - 2024-03-28

Page last updated on April 11, 2024

Biomea Fusion, Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-03-28 16:05:46 EDT.

Filings

10-K filed on 2024-03-28

Biomea Fusion, Inc. filed an 10-K at 2024-03-28 16:05:46 EDT
Accession Number: 0000950170-24-038026

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity Risk Management and Strategy We regularly assess risks from cybersecurity threats monitor our information systems for potential vulnerabilities and test those systems pursuant to our internal information technology policies which are inclusive of cybersecurity policies, processes, and practices. To protect our information systems from cybersecurity threats, we use various security tools that are designed to help identify, escalate, investigate, resolve, and recover from security incidents in a timely manner. Our Cyber Security Committee, which is comprised of representatives from our business operations and support functions, assesses risks based on current risks we are aware of, probability and potential impact to key business systems and processes. Risks that are considered high are incorporated into our overall risk management program. A mitigation plan is developed for each identified high risk, with progress reported to the Cyber Security Committee and tracked as part of our overall risk management program overseen by the Audit Committee of our board of directors. We collaborate with third party vendors as deemed necessary to assess the effectiveness of our information technology environment, which is inclusive of our cybersecurity prevention and response systems and processes. These third party vendors include cybersecurity assessors, consultants, and other external cybersecurity experts to assist in the identification, verification, and validation of cybersecurity risks, as well as to support associated mitigation plans when necessary. We have implemented a third-party cybersecurity risk management process to conduct due diligence on external entities that are determined to be of higher risk due to the Sensitive Information that they have access to, including those that perform cybersecurity services. Cybersecurity threats, including those resulting from any previous cybersecurity incidents, have not materially affected our Company, including our business strategy, results of operations, or financial condition. We do not believe that cybersecurity threats resulting from any previous cybersecurity incidents of which we are aware are reasonably likely to materially affect our Company. Refer to the risk factor captioned If our security measures are compromised, or the security, confidentiality, integrity, or availability of our information technology, software, services, communications, or data is compromised, limited, or fails, this could result in a material adverse impact in Part I, Item 1A. Risk Factors for additional description of cybersecurity risks and potential related impacts on our Company. Governance Our board of directors oversees our risk management process, including as it pertains to cybersecurity risks, directly and through its committees. The Audit Committee of the board oversees our risk management program, which focuses on the most significant risks we face in the short-, intermediate-, and long-term timeframe. Audit Committee meetings include discussions of specific risk areas throughout the year, including, among others, those relating to cybersecurity threats, when applicable, and reports from the Chief Financial Officer on our enterprise risk profile on an annual basis. The Audit Committee reviews our information technology environment risk, which is inclusive of our cybersecurity risk profile with management on a periodic basis using key performance and/or risk indicators. These key performance indicators are metrics and measurements designed to assess the prevention, detection, and mitigation efforts of our cybersecurity program, as well as our remediation of cybersecurity incidents, as applicable. We take a risk-based approach to cybersecurity and have implemented cybersecurity policies throughout our operations that are designed to address cybersecurity threats and incidents. The Company’s Head of Information Technology, and the Cyber Security Committee, is responsible for the establishment and maintenance of our cybersecurity program, as well as the assessment and management of cybersecurity risks. The current Head of Information Technology has over 20 years of experience in information security and possesses the education, skills, experience, and industry certifications expected by our company of an individual assigned to these duties. The Head of Information Technology provides periodic updates on our information technology environment risk, which is inclusive of our cybersecurity risk profile, to the Board of Directors, which includes the Audit Committee members. 97

Company Information