Grace Therapeutics, Inc. 10-K Cybersecurity GRC - 2025-06-23

Page last updated on June 23, 2025

Grace Therapeutics, Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-06-23 07:43:32 EDT.

Filings

10-K filed on 2025-06-23

Grace Therapeutics, Inc. filed a 10-K at 2025-06-23 07:43:32 EDT
Accession Number: 0001140361-25-023259

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity We are increasingly dependent on third-party provided software applications and computing infrastructure to conduct key operations. We depend on both our own procured systems, networks, and technology as well as the systems, networks and technology of our contractors, consultants, vendors and other business partners. Given the importance of cybersecurity to our business, we maintain a cybersecurity program that is based on a set of cybersecurity policies and processes to support our controls and our preparedness for treatment of identified information security risks. We also undergo periodic evaluations of our cybersecurity program through cybersecurity assessment and cybersecurity incident response tabletop exercises, conducted by our cybersecurity advisors. As a result of such assessments and exercises, a number of processes have been established or are being improved upon to support the protection of our data and systems. Process for Assessing, Identifying and Managing Material Risks from Cybersecurity Threats In the event of a cybersecurity incident, we maintain a Cybersecurity Incident Response Plan. Pursuant to the plan and its escalation protocols, designated personnel are responsible for assessing the severity of an incident and associated threat, containing the threat, remediating the threat, including recovery of data and access to systems, analyzing any reporting obligations associated with the incident, and performing post-incident analysis and program enhancements. We have a relationship with various law firms to assist with advisory on legal aspects of containing incidents and communicating accordingly. Governance Management Oversight The existing controls and processes employed to assess, identify and manage material risks from cybersecurity threats are implemented and overseen by our information technology (“IT”) consultant. Our IT consultant leverages its over 35 years of experience . Our IT consultant is responsible for the day-to-day management of the cybersecurity program, including the prevention, detection, investigation, response to, and recovery from cybersecurity incidents. Our IT consultant reports on its activities to senior management who then assess and manage risks of cybersecurity threats. Board Oversight While our Board of Directors (the “Board”) has overall responsibility for risk oversight, the Audit Committee of the Board (the “Audit Committee”) oversees cybersecurity risk matters. The Audit Committee is responsible for reviewing, monitoring, reporting and, where appropriate, providing recommendations to the Board regarding compliance with our internal policies and its progress in remedying any material deficiencies, including those related to our security policies, including the physical safeguarding of corporate assets and security of our networks and information systems. The Audit Committee receives periodic updates regarding the cybersecurity program, including top threats and risks, and updates on the cybersecurity roadmap. Cybersecurity Risks We maintain a Risk Management Policy that governs the process in which we identify cybersecurity risks, evaluate their associated impacts and risk levels, and document them accordingly in the Cybersecurity Risk Register. For additional information, see “Item 1A-Risk Factors.” In the last reporting year, we did not experience any material cybersecurity incidents or threats.

Company Information