Onconova Therapeutics, Inc. 10-K Cybersecurity GRC - 2024-04-01

Page last updated on April 11, 2024

Onconova Therapeutics, Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-04-01 16:08:19 EDT.

Filings

10-K filed on 2024-04-01

Onconova Therapeutics, Inc. filed an 10-K at 2024-04-01 16:08:19 EDT
Accession Number: 0001558370-24-004525

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBERSECURITY Risk Management and Strategy We monitor our information systems for potential cybersecurity issues and assess risks from cybersecurity threats as an element of our overall business risks. To protect our information systems from cybersecurity threats, we use various security tools supporting protection, detection, and response/mitigation capabilities. We also alert employees to significant new cybersecurity issues on a regular basis. We rely heavily on third party service providers for our clinical development activities and cloud-based documentation and communications. A cybersecurity incident at a vendor or other third-party service provider could have a material and adverse impact on our business, results of operations and financial condition. Third-party vendor cybersecurity risks and procedures are evaluated by our Quality Assurance and Regulatory Department during our prequalification process and during subsequent periodic reviews. We do not specifically utilize assessors, consultants, auditors, or other third parties to evaluate or enhance our cybersecurity programs. On an annual basis, our information technology risks, controls and procedures are reviewed by third-party experts as part of our Sarbanes-Oxley review and testing. Board Governance and Management Our board of directors has oversight responsibility for risk management, which it administers directly and with assistance from its committees, primarily the audit committee. Throughout the year, the board and its committees engage with management to discuss a wide range of enterprise risks, including cybersecurity. The audit committee assists the board of directors by overseeing the steps management has taken to monitor and mitigate cybersecurity threats and risks. The audit committee receives reports annually from management on our cybersecurity strategy and program. Significant changes are reported to the audit committee quarterly. Cybersecurity incidents which are determined by management to be material will be reported immediately to the audit committee. We take a risk-based approach to cybersecurity and have implemented cybersecurity procedures designed to address cybersecurity threats and risks. The Director Information Technology, who has a combination of 15 years of professional experience and education, as well as certifications in cybersecurity, leads the Company s cybersecurity program and is responsible for assessing and managing cybersecurity risk. The Director- Information Technology reviews cybersecurity risks with and reports cybersecurity incidents to the Chief Executive Officer, Chief Operating Officer/Chief Financial Officer, and Senior Director Financial Reporting. 48 Table of Contents To date, we are not aware of any cybersecurity incident that has had or is reasonably likely to have a material impact on our business or operations however, because of the frequently changing attack techniques, along with the increased volume and sophistication of the attacks, there is the potential for us to be adversely impacted. This impact could result in reputational, competitive, operational or other business harm as well as financial costs and regulatory action. See Part I Item 1A. Risk Factors for further discussion of these risks.

Company Information