Ocugen, Inc. 10-K Cybersecurity GRC - 2024-04-16

Page last updated on April 16, 2024

Ocugen, Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-04-16 15:45:48 EDT.

Filings

10-K filed on 2024-04-16

Ocugen, Inc. filed an 10-K at 2024-04-16 15:45:48 EDT
Accession Number: 0001628280-24-016378

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity Cybersecurity Risk Management and Strategy We understand the importance of assessing, identifying, and managing risks associated with cybersecurity threats. Cybersecurity processes designed to assess, identify and manage risks from cybersecurity threats have been incorporated into our operations as a part of our overall risk assessment process. To help us defend against, detect and respond to risks from cybersecurity threats, we engage a third-party cybersecurity firm to assist with aspects of our cybersecurity program including, but not limited to, network monitoring, cloud system monitoring, and employee cybersecurity awareness training. Training topics include how to escalate suspicious activities including phishing, viruses, spams, insider threats, suspect human behaviors or safety issues. Our processes also include assessing cybersecurity risks associated with our use of third-party services providers in the normal course of business use. We assess cybersecurity considerations in the selection and oversight of our third-party services providers, including due diligence on the third parties that have access to our systems . There have not been any risks from cybersecurity threats, including as a result of any cybersecurity incidents, which have materially affected or are reasonably likely to materially affect our Company, including our business strategy, results of operations, or financial condition. Refer to Item 1A. Risk factors in this annual report on Form 10-K, including Our internal computer systems or those of our development collaborators, third-party CDMOs, or other contractors or consultants may fail or suffer cybersecurity or other security breaches, which could result in a material disruption of our product development programs and cause our business and operations to suffer. We face risks related to our collection and use of data, which could result in investigations, inquiries, litigation, fines, legislative and regulatory action, and negative press about our privacy and data protection practices , for additional discussion about cybersecurity-related risks. Cybersecurity Governance Cybersecurity is an important part of our risk management processes. The Company’s Associate Vice President of IT & Facilities is responsible for overseeing the cybersecurity risk management program. He has over 20 years of IT management, cybersecurity, and information governance experience. In order to monitor and appropriately escalate cybersecurity risks, our Associate Vice President of IT & Facilities receives reports on a monthly basis, and more frequently as appropriate, from our third-party cybersecurity vendor. Our Board of Directors’ role in risk oversight is consistent with our leadership structure, with management having day-to-day responsibility for assessing and managing our risk exposure and our Board actively overseeing the management of our risks both at the Board and Committee level. The Board conducts its risk oversight by receiving reports from each of the Committees and our executive officers regarding our risk identification, risk management, and risk mitigation strategies with respect to areas of potential material risk, including cybersecurity risk. The Board has delegated to the Audit Committee of the Board primary responsibility for overseeing risks from cybersecurity threats. The Company’s Associate Vice President of IT & Facilities briefs the Audit Committee on the Company s cybersecurity risk management program on an approximately quarterly basis, using risk assessment reports from our third-party cybersecurity vendor. The briefing includes discussion of management s actions to identify and detect threats, as well as planned actions in the event of a response or recovery situation. 79 Table of Contents

Company Information