NRX Pharmaceuticals, Inc. 10-K Cybersecurity GRC - 2024-03-29

Page last updated on April 11, 2024

NRX Pharmaceuticals, Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-03-29 17:18:08 EDT.

Filings

10-K filed on 2024-03-29

NRX Pharmaceuticals, Inc. filed an 10-K at 2024-03-29 17:18:08 EDT
Accession Number: 0001558370-24-004396

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity NRx Pharmaceuticals, Inc. ( NRx or Company ) maintains a cyber risk management program designed to identify, assess, manage, mitigate, and respond to cybersecurity threats. The underlying processes and controls of NRx s cyber risk management program incorporate recognized best practices and standards for cybersecurity and information technology, including the National Institute of Standards and Technology ( NIST ) Cybersecurity Framework ( CSF ). NRx has an annual assessment performed by a third-party specialist of the Company s cyber risk management program against the NIST CSF. The annual risk assessment identifies, quantifies, and categorizes material cyber risks. In addition, the Company, in conjunction with the third-party cyber risk management specialists develop a risk mitigation plan to address such risks and, where necessary, remediate potential vulnerabilities identified through the annual assessment process. In addition, NRx maintains policies over areas such as access and account management to help govern the processes put in place by management designed to protect NRx s IT assets, data, and services from threats and vulnerabilities. NRx employs additional key practices within the cybersecurity risk management program including, but not limited to maintenance of an IT assets inventory, identity access management controls including restricted access of privileged accounts, and critical data backups to reduce cybersecurity risk . Cybersecurity partners to the Company, including consultants, are a key part of NRx s cybersecurity risk management strategy and infrastructure. The cybersecurity partners provide services including, but not limited to cybersecurity strategy, cyber risk advisory, assessment, and remediation. NRx s management team, in conjunction with cybersecurity service providers are responsible for oversight and administration of NRx s cyber risk management program, and for informing senior management and other relevant stakeholders regarding the prevention, detection, mitigation, and remediation of cybersecurity incidents. The Company s management team has prior experience selecting, deploying, and overseeing cybersecurity technologies, initiatives, and processes via engagement of strategic third-party partners. The Company also relies on threat intelligence as well as other information obtained from governmental, public, or private sources, including external consultants engaged by NRx for strategic cyber risk management, advisory and decision making. The Audit Committee of the Board of Directors oversees NRx s cybersecurity risk exposures and the steps taken by management to monitor and mitigate cybersecurity risks. The cybersecurity stakeholders, including member(s) of management assigned with cybersecurity oversight responsibility and/or third-party consultants providing cyber risk services, brief the Audit Committee on cyber vulnerabilities identified through the risk management process, the effectiveness of NRx s cyber risk management program, and the emerging threat landscape and new cyber risks on at least an annual basis. This includes updates on NRx’s processes to prevent, detect, and mitigate cybersecurity incidents. NRx faces risks from cybersecurity threats that could have a material adverse effect on its business, financial condition, results of operations, cash flows or reputation. NRx acknowledges that the risk of cyber incident is prevalent in the current threat landscape and that a future cyber incident may occur in the normal course of its business. However, prior cybersecurity incidents have not had a material adverse effect on NRx s business, financial condition, results of operations, or cash flows. Further, there is increasing regulation regarding responses to cybersecurity incidents, including reporting to regulators, investors, and additional stakeholders, which could subject the Company to additional liability and reputational harm. In response to such risks, the Company has implemented initiatives such as a cybersecurity risk assessment process and development of an incident response plan. See Item 1A. “Risk Factors” for more information on cybersecurity risks.

Company Information