HCW Biologics Inc. 10-K Cybersecurity GRC - 2024-04-01

Page last updated on May 15, 2024

HCW Biologics Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-04-01 16:31:02 EDT.

Filings

10-K filed on 2024-04-01

HCW Biologics Inc. filed an 10-K at 2024-04-01 16:31:02 EDT
Accession Number: 0000950170-24-039384

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C Cybersecurity. Risk Management We recognize the importance of assessing, identifying, and managing material risks associated with cybersecurity threats, as such term is defined in Item 106(a) of Regulation S-K. These risks include, among other things, operational risks intellectual property theft fraud extortion harm to employees or customers violation of privacy or security laws and other litigation and legal risk and reputational risks. We also maintain an incident response plan to coordinate the activities we take to protect against, detect, respond to and remediate cybersecurity incidents, as such term is defined in Item 106(a) of Regulation S-K, as well as to comply with potentially applicable legal obligations and mitigate brand and reputational damage. We have established physical, electronic, and organizational measures to safeguard and secure our systems to prevent a data compromise. Our approach includes, among other things: conducting regular network and endpoint monitoring, vulnerability assessments, and penetration testing to improve our information systems, as such term is defined in Item 106(a) of Regulation S-K is scheduled on 2024 IT plan requiring regular cybersecurity training programs for employees, management and directors comparing our processes to standards set by the National Institute of Standards and Technology ( NIST ) leveraging the NIST incident handling framework to help us identify, protect, detect, respond, and recover when there is an actual or potential cybersecurity incident operating threat intelligence processes designed to model and research our adversaries conducting regular phishing email simulations for all employees and all contractors with access to corporate email systems to enhance awareness and responsiveness to such possible threats maintaining copies of production data in two separate locations running a backup for our data on a daily basis and these files are held for several months testing the backup and recovery systems frequently employing a multi-factor authorization for employees who are working remotely, in order to mitigate risks of compromising email accounts and holding an insurance policy to mitigate risks for cybersecurity incidents. These approaches vary in maturity across our business and we work to continually improve them. As part of the above approach and processes, we periodically engage with assessors, consultants, auditors, and other third-parties, including by annually having a third-party review our cybersecurity program to help identify areas for continued focus, improvement and/or compliance. Our process for identifying and assessing material risks from cybersecurity threats operates alongside our broader overall risk assessment process, covering all company risks. As part of this process, appropriate HCW personnel collaborate with subject matter specialists, as necessary, to gather insights for identifying and assessing material cybersecurity threat risks, their severity, and potential mitigation. As of December 31, 2023, we have experienced a few outages which we do not believe impacted the integrity of our data. While we continue to make investments to improve the protection of data and information technology, there can be no assurance that our efforts will prevent service interruptions or security breaches. We describe whether and how risks from identified cybersecurity threats, including as a result of any previous cybersecurity incidents, have materially affected or are reasonably likely to materially affect us, including our business strategy, results of operations, or financial condition, under the heading Risks Related to Data Privacy and Cybersecurity included as part of our risk factor disclosures at Item 1A of this Annual Report, which disclosures are incorporated by reference herein. 70 To date, we have not experienced a material cybersecurity incident and the expenses we have incurred from cybersecurity incidents were immaterial. This includes penalties and settlements, of which there were none. Governance Cybersecurity is an important part of our risk management processes and an area of increasing focus for our Board and management. Our Audit Committee of our Board of Directors is responsible for the oversight of risks from cybersecurity threats. At least annually, the Audit Committee receives an overview from management of our cybersecurity threat risk management and strategy processes covering topics such as data security posture, results from third-party assessments, progress towards pre-determined risk-mitigation-related goals, our incident response plan, and material cybersecurity threat risks or incidents and developments, as well as the steps management has taken to respond to such risks. In such sessions, the Audit Committee generally receives materials including a cybersecurity scorecard and other materials indicating current and emerging cybersecurity threat risks, and describing our ability to mitigate those risks, and discusses such matters with our Operations Administrator, who is supported by Compass MSP, a leading provider of technology managed services. Members of the Audit Committee are also encouraged to regularly engage in ad hoc conversations with management on cybersecurity-related news events and discuss any updates to our cybersecurity risk management and strategy programs. Material cybersecurity threat risks may also be considered during separate Board meeting discussions. Our cybersecurity risk management and strategy processes, which are discussed in greater detail above, are led by our Chief Executive Officer, who has founded and led several biotech companies for over 20 years, all of which have implemented systems and processes to protect sensitive clinical data and patient information. He is supported by our IT consultant, Compass MSP, a leading provider of technology managed services. Our consultant conducts a vulnerability assessment annually and tests our backup and recovery systems frequently. These members of management are informed about and monitor the prevention, mitigation, detection, and remediation of cybersecurity incidents through their management of, and participation in, the cybersecurity risk management and strategy processes described above, including the operation of our incident response plan. If a cybersecurity incident is determined to be a material cybersecurity incident, our incident response plan and cybersecurity disclosure controls and procedures define the process to disclose such a material cybersecurity incident.

Company Information