TREVENA INC 10-K Cybersecurity GRC - 2024-04-01

Page last updated on April 11, 2024

TREVENA INC reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-04-01 07:15:59 EDT.

Filings

10-K filed on 2024-04-01

TREVENA INC filed an 10-K at 2024-04-01 07:15:59 EDT
Accession Number: 0001558370-24-004445

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBERSECURITY Cyber Risk Management and Strategy We recognize the importance of assessing, identifying, and managing risks from cybersecurity threats. Our approach to cybersecurity risk management is aligned with our risk profile and business. We have leveraged the support of third-party information technology and security providers, including to perform a risk assessment designed to identify, assess, and manage cybersecurity risks. We provide ongoing training to our employees to identify and understand the risks from cybersecurity threats, Further, we follow a formal, documented process to assess the data protection practices of certain third-party vendors. Our cybersecurity risk management program is integrated into our overall enterprise risk management program and shares common methodologies, reporting channels, and governance processes that apply across the enterprise risk management program to other legal, compliance, strategic, operational, and financial risk areas. Our cybersecurity risk management program includes: risk assessments designed to help identify material cybersecurity risks to our critical systems, information, products, services, and our broader enterprise information technology ( IT ) environment an outsourced security team principally responsible for managing (1) our cybersecurity risk assessment processes, (2) our security controls, and (3) our response to cybersecurity incidents the use of external service providers, where appropriate, to assess, test, or otherwise assist with aspects of our security controls cybersecurity awareness training for our employees, incident response personnel, and senior management. This includes mandatory computer-based training, internal communications, and regular phishing awareness campaigns that are designed to emulate real-world contemporary threats and provide immediate feedback (and, if necessary, additional training or remedial action) to employees. In addition to the processes, technologies, and controls that we have in place to reduce the likelihood of a material cybersecurity incident (or series of related cybersecurity incidents), our outsourced security team has a written incident response plan outlining how to address cybersecurity events that occur. We have assigned a team comprised of finance and technology personnel to review the plan annually to serve as a framework for the execution of responsibilities across businesses and operational roles. The incident response plan is designed to help us coordinate actions to prepare for, detect, respond to and recover from cybersecurity incidents, and includes processes to triage, assess severity, escalate, contain, investigate, and remediate the incident, as well as to assess the need for disclosure, comply with applicable legal obligations and mitigate the impact to our brand and reputation and on impacted parties. In addition to the cybersecurity incident response plan, our outsourced team conducts tabletop exercises to enhance our incident response preparedness. They also have processes to oversee and identify material risks from cybersecurity threats associated with our use of third-party service providers. Such processes include conducting due diligence and risk assessment of our current and potential vendors that examine such vendor s cybersecurity protocols and adherence to applicable regulations. 71 Table of Contents We also maintain business continuity and disaster recovery plans to prepare for and respond to the potential for any disruption in the technology we rely on. Additionally, we maintain insurance coverage that, subject to its terms and conditions, is intended to help us cover certain costs associated with cybersecurity incidents and information system failures. Although risks from cybersecurity threats have to date not materially affected, and we do not believe they are reasonably likely to materially affect, us or our business strategy, results of operations or financial condition, we could, from time to time, experience threats and security incidents relating to our and our third-party vendors information systems. For more information, please see the section entitled Risk Factors in this Annual Report on Form 10-K. Governance Related to Cybersecurity Risks Based on the information available as of the date of this Annual Report, we have no reason to believe any risks from cybersecurity threats, including as a result of any previous cybersecurity incidents, have materially affected or are reasonably likely to materially affect us, including our business strategy, results of operations or financial condition. For additional information, see Risks Related to Cybersecurity, Data Privacy and IT Systems, in Item 1A, Risk Factors in this Annual Report on Form 10-K. Our Senior Vice President, Chief Business Officer and Head of Commercial Operations is responsible for the strategic leadership and direction of our cybersecurity program. The Senior Vice President, Chief Business Officer and Head of Commercial Operations has nearly 10 years of experience overseeing information technology activities. Our audit committee has oversight over cybersecurity risks. Our management provides periodic presentations to the audit committee on our cybersecurity program, including updates on cybersecurity risks and related cybersecurity strategy, as applicable. The audit committee provides updates regarding our cybersecurity program to the board of directors when material.

Company Information