Phio Pharmaceuticals Corp. 10-K Cybersecurity GRC - 2024-04-01

Page last updated on April 11, 2024

Phio Pharmaceuticals Corp. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-04-01 16:31:03 EDT.

Filings

10-K filed on 2024-04-01

Phio Pharmaceuticals Corp. filed an 10-K at 2024-04-01 16:31:03 EDT
Accession Number: 0001683168-24-002021

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBERSECURITY We are increasingly dependent on sophisticated software applications and computing infrastructure to conduct key operations. We depend on both our own systems, networks, and technology as well as the systems, networks and technology of our contractors, consultants, vendors and other business partners. 21 Cybersecurity Program Given the importance of cybersecurity to our business, we maintain a robust cybersecurity program to support both the effectiveness of our systems and our preparedness for information security risks. This program includes a number of safeguards, such as: continuous monitoring for internal and external threats regular evaluations of our cybersecurity program, including periodic external reviews and industry benchmarking. We also require cybersecurity trainings when onboarding new employees, as well as cybersecurity awareness training for our employees. Our program leverages standard industry frameworks to strengthen our program effectiveness and reduce cybersecurity risks. We use a risk-based approach with respect to our use and oversight of third-party service providers, tailoring processes according to the nature and sensitivity of the data accessed, processed, or stored by such third-party service provider. We use a number of means to assess and manage cyber risks related to our third-party service providers, including conducting due diligence in connection with onboarding new vendors and seeking to include appropriate security terms in our contracts where applicable. Process for Assessing, Identifying and Managing Material Risks from Cybersecurity Threats In the event of a cybersecurity incident, designated personnel are responsible for assessing the severity of an incident and associated threat, containing the threat, remediating the threat, including recovery of data and access to systems, analyzing any reporting obligations associated with the incident, and performing post-incident analysis and program enhancements. We maintain a disaster recovery plan in the event of a significant cybersecurity incident. We have relationships with a number of third-party service providers to assist with cybersecurity containment and remediation efforts, including insurance providers and various law firms. Governance Management Oversight The controls and processes employed to assess, identify and manage material risks from cybersecurity threats are implemented and overseen by the use of consultants as the Company does not have a full-time dedicated cybersecurity position in the Company. Our consultant has over 20 years of experience in information technology matters and is responsible for the day-to-day management of the cybersecurity program, including the prevention, detection, investigation, response to, and recovery from cybersecurity threats and incidents, and are regularly engaged to help ensure the cybersecurity program functions effectively in the face of evolving cybersecurity threats. Board Oversight The Board of Directors (the Board ) has overall responsibility for risk oversight and cybersecurity risk matters. The Board is responsible for discussing with management the Company s data privacy, information technology and security and cybersecurity risk exposures, including: (i) the potential impact of those exposures on the Company s business, financial results, operations and reputation (ii) the programs implemented by management to monitor and mitigate any exposures and (iii) major legislative and regulatory developments that could materially impact the Company s data privacy and cybersecurity risk exposure. 22 Cybersecurity Risks Our cybersecurity risk management processes are integrated into our overall information technology ( IT ) processes. As part of our IT process, we identify, assess and evaluate risks impacting our operations across the Company, including those risks related to cybersecurity. We also maintain cybersecurity insurance providing coverage for certain costs related to cybersecurity-related incidents that impact our own systems, networks, and technology or the systems, networks and technology of our contractors, consultants, vendors and other business partners. As of December 31, 2023, we are not aware of any material risks from cybersecurity threats, including as a result of any previous cybersecurity incidents, that have materially affected the business strategy, results of operations or financial condition of the Company or are reasonably likely to have such a material effect. While we maintain a robust cybersecurity program, the techniques used to infiltrate information technology systems continue to evolve. Accordingly, we may not be able to timely detect threats or anticipate and implement adequate security measures. For additional information, see Item 1A Risk Factors.

Company Information