DURECT CORP 10-K Cybersecurity GRC - 2024-03-28

Page last updated on April 11, 2024

DURECT CORP reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-03-28 16:52:22 EDT.

Filings

10-K filed on 2024-03-28

DURECT CORP filed an 10-K at 2024-03-28 16:52:22 EDT
Accession Number: 0000950170-24-038141

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity. Cybersecurity Risk Management and Strategy: We recognize the importance of assessing, identifying, and managing material risks associated with cybersecurity threats, as such term is defined in Item 106(a) of Regulation S-K. These risks include, among other things, operational risks intellectual property theft fraud extortion harm to employees or customers violation of privacy or security laws and other litigation and legal risk and reputational risks. We also maintain an incident response plan to coordinate the activities we take to protect against, detect, respond to and remediate cybersecurity incidents, as such term is defined in Item 106(a) of Regulation S-K, as well as to comply with potentially applicable legal obligations and mitigate brand and reputational damage. We have implemented several cybersecurity processes, technologies, and controls to aid in our efforts to identify, assess, and manage material risks, as well as to test and improve our incident response plan. Our approach includes, among other things: We conduct regular network and endpoint monitoring, vulnerability assessments, and penetration testing to improve our information systems, as such term is defined in Item 106(a) of Regulation S-K. Disaster Recovery is tested using various methods such as recovery exercises to simulate a response to a cybersecurity incident, and we use the findings to improve our security, processes, procedures and technologies. Regular cybersecurity training programs are in place for employees, management and directors. In addition, we conduct annual customer data handling and use requirements training for all employees. We compare our processes to standards set by the NIST. Incident handling incorporates the NIST incident handling framework to develop our cybersecurity response procedures and to help us identify, protect, detect, respond and recover when there is an actual or potential cybersecurity incident. We routinely identify and filter out potential threats through threat intelligence processes, attack signatures, and geographic IP filtering. We closely monitor emerging data protection laws such as GDPR and carefully implement changes to our processes when required for compliance. We conduct regular phishing email simulations for all employees to enhance awareness and responsiveness to such possible threats. Through policy, practice and contract (as applicable), we require employees, as well as third-parties who provide services on our behalf, to treat customer information and data with care. We maintain cybersecurity insurance coverage. Our process for identifying and assessing material risks from cybersecurity threats incorporates a risk matrix for identifying risk levels for interconnected systems. As part of this process appropriate disclosure personnel will collaborate with subject matter specialists, as necessary, to gather insights for identifying and assessing material cybersecurity threat risks, their severity, and potential mitigations. 64 As part of the above approach and processes, we regularly engage with assessors, consultants and other third-parties to review various parts of our cybersecurity program to help identify areas for continued focus, improvement and/or compliance. Our processes also address oversight and identification of cybersecurity threat risks from our use of third-party service providers, including those in our supply chain. This involves, among other things, conducting pre-engagement risk-based diligence, implementing contractual security and notification provisions, and ongoing monitoring as needed. We describe whether and how risks from identified cybersecurity threats have materially affected or are reasonably likely to materially affect us, including our business strategy, results of operations, or financial condition, included as part of our risk factor disclosures at Item 1A of this Annual Report on Form 10-K, which disclosures are incorporated by reference herein. In the last two fiscal years, we have experienced no material cybersecurity incidents, and the expenses we have incurred from any cybersecurity incidents were immaterial. This includes penalties and settlements, of which there were none. Cybersecurity Governance: Cybersecurity is an important part of our risk management processes and an area of increasing focus for our Board of Directors (our Board or Board of Directors ) and management. The audit committee of our Board (the “Audit Committee”) is responsible for the oversight of risks from cybersecurity threats. At least annually, the Audit Committee receives an overview from management of our cybersecurity threat risk management and strategy processes covering topics such as data security posture, results from third-party assessments, progress towards pre-determined risk-mitigation-related goals, our incident response plan, and material cybersecurity threat risks or incidents and developments, as well as the steps management has taken to respond to such risks. In such sessions, Audit Committee members generally receive materials including a cybersecurity scorecard and other materials indicating current and emerging cybersecurity threat risks, and describing our ability to mitigate those risks, and discusses such matters with our Executive Director of IT. Members of the Audit Committee and the full Board are also encouraged to regularly engage in ad hoc conversations with management on cybersecurity-related news events and discuss any updates to our cybersecurity risk management and strategy programs. Materials of our cybersecurity threat risk management and strategy processes are also periodically reviewed with the full Board. Our cybersecurity risk management and strategy processes, which are discussed in greater detail above, are led by our Executive Director of IT. This individual has over 25 years of prior work experience in various roles involving: managing information security, developing cybersecurity strategy, implementing effective information and cybersecurity programs, and developing and implementing IT change control policies and procedures, as well as holds several relevant degrees and certifications, including a master s degree in Computer Information Systems, Certified in Security+, and has completed extensive cybersecurity training and testing in: Certified Professional Hacker (EMC White Hat Training), ISC2 Certified Information Systems Security Professional (CISSP) Training, and NIST Framework Development and Deployment. Our Executive Director of IT is informed about and monitors the prevention, mitigation, detection, and remediation of cybersecurity incidents through management of, and participation in, the cybersecurity risk management and strategy processes described above, including the operation of our incident response plan. If a cybersecurity incident is determined to be a material cybersecurity incident, our incident response plan and cybersecurity disclosure controls and procedures define the process to disclose such a material cybersecurity incident. 65 As discussed above, our Executive Director of IT reports to our CEO and informs the members of the Audit Committee and the full Board about cybersecurity threat risks, among other cybersecurity related matters. All executives attend cybersecurity training annually.

Company Information