CNS Pharmaceuticals, Inc. 10-K Cybersecurity GRC - 2024-04-01

Page last updated on April 11, 2024

CNS Pharmaceuticals, Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-04-01 17:00:31 EDT.

Filings

10-K filed on 2024-04-01

CNS Pharmaceuticals, Inc. filed an 10-K at 2024-04-01 17:00:31 EDT
Accession Number: 0001683168-24-002032

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity. There have been an increasing number of cyberattacks on companies around the world, which have caused operational failures, compromised sensitive corporate or customer data, and/or resulted in significant financial damages. These attacks have occurred over the internet, through malware, viruses or attachments to e-mails, or through inside actors with access to systems within the organization. Risk Management and Strategy We have recently implemented additional security measures as part of an evolving cybersecurity posture and will continue to devote resources to address security vulnerabilities in an effort to prevent cyberattacks and mitigate the damage that could result from such an attack. All employees have recently (subsequent to December 31, 2023) begun receiving cybersecurity training and other education regarding their use of computers, information technology, and sensitive data including specifically how to recognize common attack strategies. As the Company does not have a physical office location, it does not have a local network or in-house servers and proprietary applications. We therefore utilize third parties applications and resources to support our information technology ( IT ) needs. All applications utilized by the Company are Software as a Service ( SaaS ) offerings. As our applications are developed and managed by third parties, we are dependent on these providers for many functions including disaster recovery during a disaster or cyber incident. Our goal is to only utilize the most secure and trusted providers for our IT needs. To this end, we are currently reviewing the security credentials and certifications of our key application providers. Our business continuity plans are evaluated against evolving security and service level standards, which includes evaluating those cybersecurity threats associated with our use of key third party service providers. Our cybersecurity management strategy consists of utilizing a combination of employee education, preventative controls, detective controls, and periodic third-party cybersecurity testing. During fiscal year 2023 we began to deploy and utilize enterprise scale technology to support an appropriate cybersecurity posture including: endpoint detection and response, firewalls, security information and event management, email security, multifactor authentication, and vulnerability management, with deployment of these tools completed subsequent to December 31, 2023. As part of the service offering from out outsourced IT security services provider, cybersecurity related alerts will be issued to us as relevant situations develop. These alerts will be evaluated in concert with our IT provider and in the event an alert requires action within our environment, such actions will be taken promptly. Our process and cybersecurity posture will continue to be refined based on the results of periodic cybersecurity assessments conducted jointly with our IT provider. We have recently begun reporting on cybersecurity in reports to the Board of Directors and will continue to do so. To operate our business, we rely upon certain third-party service providers to perform a variety of functions, such as outsourced business critical functions, clinical research, professional services, SaaS platforms, managed services, cloud-based infrastructure, content delivery, encryption and authentication technology, corporate productivity services, and other functions. We are developing certain vendor management processes designed to help to manage cybersecurity risks associated with our use of certain of these providers. Depending on the nature of the services provided, the sensitivity and quantity of information processed, and the identity of the service provider, our vendor management process may include reviewing the cybersecurity practices of such provider, contractually imposing obligations on the provider related to the services they provide and/or the information they process, conducting security assessments, conducting on-site inspections, requiring their completion of written questionnaires regarding their services and data handling practices, and conducting periodic re-assessments during their engagement. For our largest third-party provider, our Contract Research Organization ( CRO ) which is helping us manage our potentially pivotal global trial of Berubicin, we are currently conducting a comprehensive security assessment and review including their cybersecurity practices, protocols and protections, handling of information protected by HIPAA, and physical security. 33 Governance The Board of Directors is responsible for oversight of cybersecurity risk. Our Chief Financial Officer and Chief Executive Officer are the members of management responsible for managing and assessing our cybersecurity practices and have recently (subsequent to December 31, 2023) commenced reporting on such practices and risks. The plan for the future is that they will continue to report to the Board on cybersecurity at least quarterly. Should any cybersecurity threat or incident be detected, our senior management team would timely report such threat or incident to the Board of Directors and provide regular communications and updates throughout the incident and any subsequent investigation, in order that the impact, materiality, and reporting requirements of such incident are appropriately identified and assessed for further necessary or appropriate action to be taken. We believe we are appropriately staffed (as supported by our outsourced IT provider) to support a healthy cybersecurity posture given our size and scope. Our Chief Financial Officer, who reports to the Chief Executive Officer, is directly responsible for IT functions and has earned a Master of Business Administration and also a Master of Science degree in Accounting with a Management Information Systems concentration. To date, there have been no risks identified from cybersecurity threats or previous cybersecurity incidents that have materially affected or are reasonably likely to materially affect the company. However, despite all of the above aforementioned efforts, a cyberattack, if it occurred, could cause system operational problems, disrupt service to clinical trial sites, compromise important data or systems or result in an unintended release of confidential information. See Item 1A. Risk Factors for additional discussion of cybersecurity risks impacting our Company.

Company Information