SELLAS Life Sciences Group, Inc. 10-K Cybersecurity GRC - 2024-03-28

Page last updated on April 11, 2024

SELLAS Life Sciences Group, Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-03-28 16:01:46 EDT.

Filings

10-K filed on 2024-03-28

SELLAS Life Sciences Group, Inc. filed an 10-K at 2024-03-28 16:01:46 EDT
Accession Number: 0001390478-24-000004

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBERSECURITY We recognize the critical importance of maintaining the trust and confidence of business partners, such as CROs and CMOs, clinical trial investigators, patients and employees toward our business and are committed to protecting the confidentiality, integrity and availability of our business operations and systems. Our board of directors is actively involved in oversight of our risk management activities, and cybersecurity represents an important element of our overall approach to risk management. In general, we seek to address cybersecurity risks through a comprehensive, cross-functional approach that is focused on preserving the confidentiality, security and availability of the information that we collect and store by identifying, preventing and mitigating cybersecurity threats and effectively responding to cybersecurity incidents when they occur. Cybersecurity Risk Management and Strategy Effect of Risk We face risks related to cybersecurity, such as unauthorized access, cybersecurity attacks, and other security incidents, including perpetration by hackers and unintentional damage or disruption to hardware and software systems, loss of data, and misappropriation of confidential information. To identify and assess material risks from cybersecurity threats, we, together with our contracted third-party cybersecurity advisors, maintain a comprehensive cybersecurity program to ensure our systems are effective and prepared for information security risks, including regular oversight of our programs for security monitoring of internal and external threats to ensure the confidentiality and integrity of our information assets. We consider risks from cybersecurity threats alongside other company risks as part of our overall risk assessment process. As discussed in more detail under Cybersecurity Governance below, our audit committee provides oversight of our cybersecurity risk management and strategy processes, which are led by management. We, with assistance from our contracted third-party cybersecurity advisors, identify our cybersecurity threat risks by comparing our processes to standards set by the National Institute of Standards and Technology, or NIST. To provide for the availability of critical data and systems, maintain regulatory compliance, manage our material risks from cybersecurity threats, and protect against and respond to cybersecurity incidents, we undertake the following activities: monitor emerging data protection laws and implement changes to our processes that are designed to comply with such laws through our policies, practices, and contracts (as applicable), require employees, as well as third parties that provide services on our behalf, to treat confidential information and data with care employ technical safeguards that are designed to protect our information systems from cybersecurity threats, including firewalls, intrusion prevention and detection systems, anti-malware functionality and access controls provide regular, mandatory training for our employees and contractors regarding cybersecurity threats as a means to equip them with effective tools to address cybersecurity threats, and to communicate our evolving information security policies, standards, processes and practices conduct regular phishing email simulations for all employees and contractors with access to our email systems to enhance awareness and responsiveness to possible threats conduct cybersecurity management and incident training for employees involved in our systems and processes that handle sensitive data leverage the NIST incident handling framework to help us identify, protect, detect, respond and recover when there is a potential cybersecurity incident and 113 Table of Contents carry information security risk insurance that provides protection against the potential losses arising from a cybersecurity incident. Our processes also address cybersecurity threat risks associated with our selection and oversight of third-party service providers, including our suppliers and manufacturers or those who have access to patient and employee data or our systems. We generally require those third parties that could introduce significant cybersecurity risk to us to agree by contract to manage their cybersecurity risks in specified ways. We describe whether and how risks from identified cybersecurity threats, including as a result of any previous cybersecurity incidents, have materially affected or are reasonably likely to materially affect us, including our business strategy, results of operations, or financial condition, under the heading Significant disruptions of information technology systems, computer system failures or cybersecurity incidents could adversely affect our business , which disclosures are incorporated by reference herein. In the last three fiscal years, we have not experienced any material cybersecurity incidents. Cybersecurity Governance Management Cybersecurity is an important part of our risk management processes and an area of focus for our Board of Directors and management. Management is responsible for the operational oversight of company-wide cybersecurity strategy, policy, and standards across relevant departments to assess and help prepare us to address cybersecurity risks. The Audit Committee of the Board of Directors, or the Audit Committee, provides direct oversight over cybersecurity risk and periodically updates our Board of Directors on such matters. The Audit Committee receives periodic updates from management regarding cybersecurity matters, and is notified between such updates regarding any significant new cybersecurity threats or incidents. Our cybersecurity risk management and strategy processes, which are discussed in greater detail above, are led by our Chief Financial Officer and Vice President, Associate General Counsel and Head of Compliance, with the assistance of our contracted third-party cybersecurity advisors. These management team members are informed about and monitor the prevention, mitigation, detection, and remediation of cybersecurity incidents through their management of, and participation in, the cybersecurity risk management and strategy processes described above, including incident response processes. As discussed above, these management team members periodically report to the Audit Committee about cybersecurity threat risks, among other cybersecurity related matters.

Company Information