Avalo Therapeutics, Inc. 10-K Cybersecurity GRC - 2024-03-29

Page last updated on April 11, 2024

Avalo Therapeutics, Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-03-29 16:05:04 EDT.

Filings

10-K filed on 2024-03-29

Avalo Therapeutics, Inc. filed an 10-K at 2024-03-29 16:05:04 EDT
Accession Number: 0001628280-24-013786

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity. Avalo s management and Board of Directors recognize the importance of information security and managing cybersecurity risks across the enterprise. We have strategically designed our robust Information Security Program (the Program ) to assess, identify, and manage these cybersecurity risks, protect the Company from such risks, and respond to, and recover from, cybersecurity incidents. The Company s Information Security Working Group ( ISWG ) is actively engaged in managing cybersecurity risks and overseeing the design, implementation, and evaluation of the Program. The purpose of the ISWG is to define cybersecurity risk tolerance, guide implementation of the Program, monitor Program development and effectiveness, and validate investments in cybersecurity measures and infrastructure. Members of the ISWG include: the Chief Financial Officer, the head of the Company s Human Resource department, the Senior Vice President of Program Management, Corporate Infrastructure, and Clinical Operations, the Senior Vice President of Regulatory and Quality Assurance, and the Company s head of Information Technology. The group meets quarterly to 44 Table of Contents review the effectiveness of the Program, discuss any new developments and potential improvements to the Program, and evaluate internal and external security-related events to determine how Avalo can take appropriate steps to mitigate such risks. The Audit Committee (the Committee ) is primarily responsible for oversight of the Program. The Committee is composed of directors with expertise in technology, audit, finance, and compliance, equipping them to effectively oversee the program. Yingping Zhang serves as our Vice President of Information Technology, and she also helps oversee the implementation and effectiveness of the Program as a member of the ISWG. Ms. Zhang graduated from the University of Pittsburgh with a Master of Science in Electrical Engineering and has over thirty years of experience as an information technology professional. Prior to Avalo, Ms. Zhang worked as an Executive Consultant for Insightful Group, the Vice President of Information Technology at Horizon, and the Vice President of Informational Technology and Information Services at Viela Bio, among other positions within biopharma companies. Ms. Zhang reports to Lisa Hegg, Senior Vice President, Program Management, Corporate Infrastructure, and Clinical Operations. Ms. Hegg provides information technology and cybersecurity reports a necessary at meetings of management s Disclosure Committee, which is communicated quarterly to the Audit Committee, with greater frequency as necessary. Ms. Zhang regularly informs Ms. Hegg, our Chief Executive Officer (CEO) and other members of the leadership team, about the Program, best practices, current cybersecurity threats, the risk landscape, and mitigation strategies. These reports include the following on an as-needed basis: updates on the Program assessment of the Program emerging risks or concerns policies, procedures, and training and risk mitigation strategies. The underlying controls of our Program are based on recognized best practices and standards for cybersecurity and information technology, including the National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF). Ms. Zhang is responsible for developing enterprise-wide cybersecurity strategy, architecture, policies, processes, and controls, and is directly responsible for our cybersecurity program. We use various tools and methodologies to identify, manage, and test for cybersecurity risk on a regular cadence both at the enterprise level and using third-party service providers. These third parties include cybersecurity managed security service providers (MSSPs), consultants, advisors, and auditors, who we engage to evaluate our controls, whether through penetration testing, independent audits, or consulting on best practices to address new threats or challenges. To ensure we use reputable vendors for our information systems, we review and confirm SOC 1 reports for vendors providing critical business services. For vendors handling Avalo s clinical and manufacturing information, we employ quality agreements and vendor audits to ensure vendor compliance with our Program and all applicable regulatory requirements. We also engaged internal auditors to conduct a walkthrough of our information technology control environment, test our information technology controls, and report to us any findings. External security service firms monitor the Company s networks at all times, and Company laptops are patched weekly with up-to-date antivirus and real time threat-monitoring protection. Further, we actively engage with key vendors, industry participants, and law enforcement officials as part of our continuing efforts to evaluate and improve our Program. Our regular interactions with third-party vendors and suppliers pose a cybersecurity risk that could adversely impact our business or employees. We conduct information security assessments before onboarding and upon detection of an increase in risk profile. In addition, we require providers to meet appropriate security requirements, controls and responsibilities and include additional security and privacy addenda to our contracts where applicable. Internally, our employees are a key part of our Program. All Avalo employees and contractors are required to participate in annual security awareness training, which includes phishing simulations. Company Employees are also trained on policies of information security and acceptable usage of systems, as well as procedures related to electronic record management, and Avalo regularly reviews and updates user accounts and permissions and ensures that only approved applications are installed on Company devices. The Company manages endpoints centrally and content can be deleted remotely in the event of stolen devices or terminated users. To date, Avalo has not identified any cyber event or risks from cybersecurity threats that could be considered material, individually or in the aggregate. Notwithstanding our vigilance and our Program, we may not be successful in preventing or mitigating a cybersecurity incident that could have a material adverse effect on us. For further information, refer to Section 1A, Risk Factors, for a discussion of risks related to cybersecurity and technology.

Company Information