Surrozen, Inc./DE 10-K Cybersecurity GRC - 2024-04-10

Page last updated on April 11, 2024

Surrozen, Inc./DE reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-04-10 16:38:46 EDT.

Filings

10-K filed on 2024-04-10

Surrozen, Inc./DE filed an 10-K at 2024-04-10 16:38:46 EDT
Accession Number: 0000950170-24-043399

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity Risk Management and Strategy We have implemented and maintain various information security processes designed to identify, assess and manage material risks from cybersecurity threats to our computer networks, third-party hosted services, communications systems, hardware and software, and our critical data, including intellectual property and confidential information that is proprietary, strategic or competitive in nature. To protect our information systems from cybersecurity threats, we use various security tools that help prevent, identify, escalate, investigate, resolve and recover from identified vulnerabilities and security incidents in a timely manner. These include, but are not limited to, internal reporting and monitoring and detection tools to allow security researchers to assist us in identifying vulnerabilities in our environment before they are exploited by malicious threat actors. We also maintain a third-party security program to identify, prioritize, assess, mitigate and remediate third party risks however, we rely on the third parties we use to implement security programs commensurate with their risk, and we cannot ensure in all circumstances that their efforts will be successful. We regularly assess risks from cybersecurity and technology threats and monitor our information systems for potential vulnerabilities. We identify and assess risks from cybersecurity threats by monitoring and evaluating our threat environment and our risk profile using various methods including, for example, using manual and automated tools, subscribing to reports and services that identify cybersecurity threats, analyzing reports of threats and threat actors, conducting scans of the threat environment, evaluating our industry s risk profile, utilizing internal and external audits, and conducting threat and vulnerability assessments. Depending on the environment, we implement and maintain various processes, standards, and/or policies designed to manage and mitigate material risks from cybersecurity threats to our information system and data, including risk assessments, incident detection and response, vulnerability management, disaster recovery and business continuity plans, internal controls within our accounting and financial reporting functions, encryption of data, network security controls, access controls, physical security, asset management, systems monitoring, vendor risk management program, employee training, and penetration testing. We work with third-party service providers from time to time that assist us to identify, assess, and manage cybersecurity risks, including professional services firms, consulting firms, threat intelligence service providers, and penetration testing firms. We seek to engage reliable, reputable service providers that maintain cybersecurity programs. We are not aware of any risks from cybersecurity threats, including as a result of any cybersecurity incidents, which have materially affected or are reasonably likely to materially affect us, including our business strategy, results of operations, or financial condition. Refer to Item 1A Risk Factors in this Annual Report on Form 10-K for additional discussion about cybersecurity-related risks. Governance Cybersecurity is an important part of our risk management processes and an area of focus for our Board and management. Our audit committee is responsible for the oversight of risks from cybersecurity threats. Members of our audit committee receive updates on a quarterly basis from senior management, including leaders from our Information Technology team regarding matters of cybersecurity. This includes existing and new cybersecurity risks, status on how management is addressing and/or mitigating those risks, cybersecurity and data privacy incidents (if any) and status on key information security initiatives. Our Board members also engage in ad hoc conversations with management on cybersecurity-related news events and discuss any updates to our cybersecurity risk management and strategy programs. Our cybersecurity risk management and strategy processes are overseen by our Information Technology team. Such individuals have an average of over 15 years of prior work experience in various roles involving information technology, including security, auditing, compliance, systems and programming. These individuals are informed about, and monitor the prevention, mitigation, detection and remediation of cybersecurity incidents through their management of, and participation in, the cybersecurity risk management and strategy processes described above, including the operation of our incident response plan, and report to the audit committee on any appropriate items. The audit committee holds quarterly meetings and receives periodic reports from management, concerning our significant cybersecurity threats and risk and the processes we have implemented to address them.

Company Information