Kodiak Sciences Inc. 10-K Cybersecurity GRC - 2024-03-28

Page last updated on April 11, 2024

Kodiak Sciences Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-03-28 16:05:47 EDT.

Filings

10-K filed on 2024-03-28

Kodiak Sciences Inc. filed an 10-K at 2024-03-28 16:05:47 EDT
Accession Number: 0000950170-24-038025

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBERSECURITY Risk Management and Strategy We have implemented and maintain various information security processes designed to identify, assess and manage material risks from cybersecurity threats to our critical computer networks, third party hosted services, hardware, software, and our high value data, including intellectual property, trade secrets, confidential and sensitive information (collectively, “Information Systems and Data”). Our Chief Information Officer ( CIO") helps identify, assess and manage the Company’s cybersecurity threats and risks. Depending on the environment, we implement and maintain various technical, physical and organizational measures, processes, standards and policies designed to manage, mitigate and remediate material risk from cybersecurity threats to our Information Systems and Data. Our Information Security and Privacy Policy includes standards for incident response, vulnerability management, data protection and logical access controls. Our assessment and management of material risks from cybersecurity threats are integrated into our Company’s overall risk management process, which, in part, establishes intended uses of our computerized systems and identifies critical and/or material risks. After a system reaches operation, the risk management approach continues following standard processes for change control, system maintenance, logical access control, discrepancy management and periodic review. We use independent service providers to assist us from time to time in an effort to identify, assess, and manage material risks from cybersecurity threats. We have a vendor management process to manage cybersecurity risks associated with our use of independent service providers. Depending on the nature of the services provided, the sensitivity of the Information Systems and Data at issue, and the identity of the provider, our vendor management process may involve varying methods of assessment designed to help identify cybersecurity risks associated with a provider and impose contractual obligations related to cybersecurity on the provider. For a description of the risks from cybersecurity threats that may materially affect the Company and how they may do so, see our risk factors under Part 1. Item 1A. Risk Factors in this Annual Report on Form 10-K, including If our security measures, or those maintained on our behalf by CROs, service providers or other third parties, are compromised now, or in the future, or the security, confidentiality, integrity or availability of our or others information technology, software, services, networks, communications or data is compromised, limited or fails, this could result in significant fines or other liability, interrupt our development programs, harm our reputation, or otherwise adversely affect our business. Governance The Nominating and Corporate Governance Committee of our Board of Directors is responsible for overseeing cybersecurity risk management processes, including oversight and mitigation of risk from cybersecurity threats. The Nominating and Corporate Governance Committee receives reports from the CIO, Chief Financial Officer ( CFO ) or their designee concerning the Company s material cybersecurity risks and the processes the Company has implemented in an effort to mitigate them. Our cybersecurity risk assessment and management processes are implemented and maintained by the CIO. The CIO and the CFO are responsible for overall cybersecurity risk management strategy and communicating material cybersecurity priorities to the responsible board committee. The CIO has relevant cybersecurity expertise such as: leading the enterprise IT Security program for 7 years and Supply Chain Cybersecurity efforts for 6 years at a large commercial stage biopharmaceutical company. The CIO and CFO undertake efforts to learn about the Company s cybersecurity threats by reviewing security assessments and other security-related reports. Our cybersecurity incident response and vulnerability management follow our Information Security and Privacy Policy framework. This framework is designed to escalate certain cybersecurity incidents to certain management members (including the CIO and CFO) depending upon the circumstances. In addition, depending upon an incident s particular facts, the CIO, CFO or their designee report to the Nominating and Corporate Governance Committee of the Board of Directors for certain cybersecurity incidents. 70

Company Information