Pluri Inc. 10-K Cybersecurity GRC - 2025-09-17

Page last updated on September 17, 2025

Pluri Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-09-17 16:22:40 EDT.

Filings

10-K filed on 2025-09-17

Pluri Inc. filed a 10-K at 2025-09-17 16:22:40 EDT
Accession Number: 0001213900-25-088578

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. “Cybersecurity”, for additional information. We use AI tools in certain administrative functions and are evaluating suitability of these technologies for broader administrative and data-processing applications. These technologies are not embedded in our core operations or product development systems. Potential risks include inaccuracies or biases in AI-generated analyses, compliance challenges with emerging AI regulations, and cybersecurity vulnerabilities. We continue to monitor and assess AI technologies to mitigate potential impacts on our business. 34 In addition, we are subject to laws, rules and regulations in the Israeli, United States, the EU and other jurisdictions relating to the collection, use and security of personal information and data. Such data privacy laws, regulations and other obligations may require us to change our business practices and may negatively impact our ability to expand our business and pursue business opportunities. We may incur significant expenses to comply with the laws, regulations and other obligations that apply to us. Additionally, the privacy- and data protection-related laws, rules and regulations applicable to us are subject to significant change. Several jurisdictions have passed new laws and regulations in this area, and other jurisdictions are considering imposing additional restrictions. Privacy- and data protection-related laws and regulations also may be interpreted and enforced inconsistently over time and from jurisdiction to jurisdiction. Any actual or perceived inability to comply with applicable privacy or data protection laws, regulations, or other obligations could result in significant cost and liability, litigation or governmental investigations, damage our reputation, and adversely affect our business. Unsuccessful compliance with certain European privacy regulations could have an adverse effect on our business and reputation. The collection and use of personal health data in the EU is governed by the provisions of the General Data Protection Regulation (“GDPR”). This directive imposes several requirements relating to the consent of the individuals to whom the personal data relates, the information provided to the individuals, notification of data processing obligations to the competent national data protection authorities and the security and confidentiality of the personal data. The GPDR also extends the geographical scope of EU data protection law to non-EU entities under certain conditions, tightens existing EU data protection principles and creates new obligations for companies and new rights for individuals. Failure to comply with the requirements of the GDPR and the related national data protection laws of the EU member States may result in fines and other administrative penalties. There may be circumstances under which a failure to comply with GDPR, or the exercise of individual rights under the GDPR, would limit our ability to utilize clinical trial data collected on certain subjects. The GDPR regulations impose additional responsibility and liability in relation to personal data that we process, and we intend to put in place additional mechanisms ensuring compliance with these and/or new data protection rules. Changes to these European privacy regulations and unsuccessful compliance may be onerous and adversely affect our business, financial condition, prospects, results of operations and reputation. We may be exposed to liabilities under the Foreign Corrupt Practices Act, and any determination that we violated the Foreign Corrupt Practices Act could have a material adverse effect on our business. We are subject to the Foreign Corrupt Practice Act (“FCPA”) and other laws that prohibit U.S. companies or their agents and employees from providing anything of value to a foreign official or political party for the purposes of influencing any act or decision of these individuals in their official capacity to help obtain or retain business, direct business to any person or corporate entity or obtain any unfair advantage. We have operations and agreements with third parties. Our international activities create the risk of unauthorized and illegal payments or offers of payments by our employees or consultants, even though they may not always be subject to our control. We discourage these practices by our employees and consultants. However, our existing safeguards and any future improvements may prove to be less than effective, and our employees or consultants, may engage in conduct for which we might be held responsible for Any failure by us to adopt appropriate compliance procedures and ensure that our employees and consultants comply with the FCPA and applicable laws and regulations in foreign jurisdictions could result in substantial penalties or restrictions on our ability to conduct business in certain foreign jurisdictions. Violations of the FCPA may result in severe criminal or civil sanctions, and we may be subject to other liabilities, which could negatively affect our business, operating results, and financial condition. In addition, the U.S. government may seek to hold our Company liable for successor liability FCPA violations committed by companies in which we invest or that we acquire. 35 Other Risks Since we received grants from the IIA, we are subject to on-going restrictions. We have received royalty-bearing grants from the IIA, for research and development programs that meet specified criteria. The terms of the IIA’s grants limit our ability to transfer know-how developed under an approved research and development program (by way of sale and/or granting a license to use the IP), and/or the manufacturing of products developed under an approved research and development program, outside of Israel, regardless of whether the royalties are fully paid. Any non-Israeli citizen, resident or entity that, among other things, becomes a holder of 5% or more of our share capital or voting rights, is entitled to appoint one or more of our directors or our Chief Executive Officer (“CEO”) serves as a director of our Company or as our CEO is generally required to notify the same to the IIA and to undertake to observe the law governing the grant programs of the IIA, the principal restrictions of which are the transferability limits described above. To the extent a company wishes to transfer its IIA-supported know-how outside of Israel (by way of sale and/or granting a license to use the IP) - the IIA acts under the Law for the Encouragement of research, Development and Technological Innovation in the Industry 1984 and the related IIA rules and regulations, it must be preapproved by the IIA and the company may be required to pay an additional payment to the IIA. The minimum amount of the payment is the total sum of grants received plus interest, and the maximum amount shall be no higher than six times the total sum of grants received plus interest. In the case that the IIA-supported company sells the IP but retains its research and development center in Israel for at least three consecutive years, following the year of transferring the IIA-supported know-how outside of Israel, while maintaining at least 75% of its research and development employees in Israel - the payment will be limited to three times the total sum of grants received plus interest. For more information, see “Item 7. Management’s Discussion and Analysis of Financial Condition and Results of Operations - Liquidity and Capital Resources.” Recent global inflation may adversely affect our business results. Inflation could affect our ability to purchase materials needed to support our research, development and operational activities, which in turn could result in higher burn rate and a higher end price of our future products. As a result, we may not be able to effectively develop our cell-based product candidates or cultivated meat products. If we are not able to successfully manage inflation, our prospects, business, financial condition, and results of operations could be adversely impacted. Non-compliance with environmental, social, and governance (“ESG”) practices could harm our reputation, or otherwise adversely impact our business, while increased attention to ESG initiatives could increase our costs. Companies across industries are facing increasing scrutiny from a variety of stakeholders related to their ESG and sustainability practices. Certain market participants, including institutional investors and capital providers, are increasingly placing importance on the impact of their investments and are thus focusing on corporate ESG practices, including the use of third-party benchmarks and scores to assess companies’ ESG profiles in making investment or voting decisions, and engaging with companies to encourage changes to their practices. Unfavorable ESG ratings could lead to increased negative investor sentiment towards us or our industry. If we do not comply with investor or stockholder expectations and standards in connection with our ESG initiatives or are perceived to have not addressed ESG issues within our company, our business and reputation could be negatively impacted and our share price could be materially and adversely affected, as well as our access to and cost of capital. While we may, at times, engage in voluntary initiatives (such as voluntary disclosures, certifications, or goals, among others) or commitments to improve the ESG profile of our company and/or products, such initiatives or achievements of such commitments may not have the desired effect and may be costly. In addition, we may commit to certain initiatives or goals but not ultimately achieve such commitments or goals due to factors that are both within or outside of our control. Moreover, actions or statements that we may take based on expectations, assumptions, or third-party information that we currently believe to be reasonable may subsequently be determined to be erroneous or be subject to misinterpretation. Even if this is not the case, our current actions may subsequently be determined to be insufficient by various stakeholders, and we may be subject to investor or regulator engagement on our ESG initiatives and disclosures, even if such initiatives are currently voluntary. In addition, increasing ESG-related regulations, may also result in increased compliance costs or scrutiny. Expectations around a company’s management of ESG matters continue to evolve rapidly, in many instances due to factors that are out of our control. To the extent ESG matters negatively impact our reputation, it may also impede our ability to compete as effectively to attract and retain employees or customers, which may adversely impact our operations. 36 Since we have signed the EIB Finance Agreement, we agreed to guaranty the loan as well as agreed to limitations that require us to notify the EIB, and in some cases obtain their approval, before we engage with other banks for additional sources of funding or with potential partners for certain strategic activities. The EIB Finance Agreement contains certain limitations that we must adhere to such as the use of proceeds received from the EIB, the disposal of assets, substantive changes in the nature of our business, our potential execution of mergers and acquisitions, changes in our holding structure, distributions of future potential dividends and our engaging with other banks and financing entities for other loans. Our principal research and development and manufacturing facilities are located in Haifa, Israel and military conditions in Israel, including the armed conflict between Israel and terrorist organizations from the Gaza Strip, Lebanon and Yemen, tensions with regional countries hostile to Israel such as Iran - may cause interruption or suspension of our business operations without warning. Our principal R&D and manufacturing facilities are located in Haifa, Israel, thus, political, economic, and military conditions in Israel, and in particular, conflicts involving Israel and terrorist organizations such as Hamas in the Gaza Strip, Hezbollah in Lebanon, and Ansar Allah (Houthis) in Yemen, the conflict with Iran, as well as tensions with regional countries hostile to Israel, may directly affect our business. As of the date of this Annual Report, there has been no material impact on our operations. According to the recent guidelines of the Israeli government, the Company’s offices in Haifa are open and functioning; however, if a war will escalate or expand, with one or more of the countries or organizations in conflict with Israel, this situation may change and the Israeli government may impose certain restrictions on movement and travel, which will affect our management and employees’ ability to effectively perform their daily tasks, and may result in disruptions and delays in some of our projects. Any hostilities involving Israel, terrorist activities, political instability or violence in the region, or the interruption or curtailment of trade or transport between Israel and its trading partners could make it more difficult for us to raise capital, if needed in the future, and adversely affect our operations and results of operations and the market price of our common shares. In addition, to the extent the IIA no longer makes grants similar to those we have received in the past, it could adversely affect our financial results. Furthermore, certain of our employees may be obligated to perform annual reserve duty in the Israel Defense Forces and are subject to being called up for active military duty at any time. Many Israeli citizens who have served in the army are required to perform reserve duty until they reach the age of 40 or older, depending upon the nature of their military service. Currently, two of our employees, neither of which is an executive officer, have been called for active military reserve duty. The war’s implications, including but not only the war’s economic implications, on the Company’s business and operations and on Israel’s economy in general are difficult to predict. Such events may be intertwined with wider macroeconomic indications of a deterioration of Israel’s economic standing, for instance, a downgrade in Israel’s credit rating by rating agencies, which may have a material adverse effect on the Company and its ability to effectively conduct its operations. In addition, Israeli-based companies and companies doing business with Israel, have been the subject of an economic boycott by members of the Arab League and certain other predominantly Muslim countries since Israel’s establishment. Although Israel has entered into various agreements with certain Arab countries and the Palestinian Authority, and various declarations have been signed in connection with efforts to resolve some of the economic and political problems in the Middle East, we cannot predict whether or in what manner these problems will be resolved. Wars and acts of terrorism have resulted in significant damage to the Israeli economy, including reducing the level of foreign and local investment. ITEM 1B. UNRESOLVED STAFF COMMENTS. Not Applicable. ITEM 1C. CYBERSECURITY We operate in the biotechnology industry, where the protection of sensitive information and the continuity of our operations are critical. We are subject to cybersecurity risks which could adversely affect our business, financial condition, or results of operations. We maintain a risk-based cybersecurity program designed to identify, assess, and mitigate cybersecurity threats. Our program incorporates applicable industry standards and is managed through a cross-functional approach involving our Information Technology, legal, compliance, and other relevant teams. It is overseen by our Chief Information Officer (“CIO”), who is responsible for the day-to-day management of cybersecurity risks and the implementation of our information security program and incident response plans. 37 Our risk management activities include periodic assessments, vulnerability testing, and tabletop exercises, as well as regular engagement with third-party experts to perform independent security assessments. We have expanded employee training and phishing simulations, and we conduct ongoing monitoring of access to our systems, including oversight of third-party vendors and service providers. The results of assessments and reviews are reported to senior management and the Audit Committee, and our policies and controls are updated as necessary. While we have experienced a cybersecurity incident in the past and encounter cybersecurity threats from time to time in the ordinary course of business, none to date have had a material adverse effect on our business, financial condition, results of operations or cash flows. Despite our proactive measures, including expanded employee training and enhanced vendor oversight, cybersecurity threats continue to evolve, and no system can be entirely secure. A future cybersecurity incident could materially impact our operations, financial results, or reputation. Risk Management and Strategy As part of our overall risk management framework, our cybersecurity program takes a comprehensive, layered approach to identifying, preventing and mitigating cybersecurity threats and incidents. This includes implementing controls and escalation procedures to ensure that significant incidents are promptly communicated to management for timely decision-making regarding public disclosure and regulatory reporting. We deploy multiple technical safeguards designed to protect our information systems, including firewalls, intrusion prevention and detection systems, anti-malware tools, access controls, and continuous monitoring. These safeguards are evaluated and enhanced through regular vulnerability assessments, penetration testing and ongoing cybersecurity threat intelligence. We maintain formal incident response and recovery plans that define our procedures for addressing cybersecurity incidents. These plans are tested, updated, and refined on a regular basis to ensure readiness. We apply a risk-based approach to managing cybersecurity risks posed by third parties , including vendors, contract research organizations, service providers and other external users of the our systems. This also includes assessing and overseeing risks related to third-party systems that, if compromised, could negatively impact our business operations. Governance The Audit Committee of our Board oversees our risk management process, including the management of risks from cybersecurity threats. Our CIO, Mr. Oren Kochavi, is an accomplished executive with 14 years of experience leading information technology, enterprise systems, information security, and related technology functions. Mr. Kochavi holds an MBA in Business Administration and multiple professional certifications, and is responsible for the day-to-day administration of our cybersecurity program and reports to the Audit Committee on cybersecurity matters. The Audit Committee receives periodic reports and presentations addressing cybersecurity risks, recent developments, evolving standards, results of vulnerability assessments, findings from third-party and independent reviews, current threat intelligence, technological trends, and relevant developments regarding security considerations arising with respect to our peers and third parties. According to our procedures, the Audit Committee is promptly informed of any cybersecurity incident that meets established reporting thresholds and receives ongoing updates until the matter is fully resolved.
ITEM 1C. CYBERSECURITY We operate in the biotechnology industry, where the protection of sensitive information and the continuity of our operations are critical. We are subject to cybersecurity risks which could adversely affect our business, financial condition, or results of operations. We maintain a risk-based cybersecurity program designed to identify, assess, and mitigate cybersecurity threats. Our program incorporates applicable industry standards and is managed through a cross-functional approach involving our Information Technology, legal, compliance, and other relevant teams. It is overseen by our Chief Information Officer (“CIO”), who is responsible for the day-to-day management of cybersecurity risks and the implementation of our information security program and incident response plans. 37 Our risk management activities include periodic assessments, vulnerability testing, and tabletop exercises, as well as regular engagement with third-party experts to perform independent security assessments. We have expanded employee training and phishing simulations, and we conduct ongoing monitoring of access to our systems, including oversight of third-party vendors and service providers. The results of assessments and reviews are reported to senior management and the Audit Committee, and our policies and controls are updated as necessary. While we have experienced a cybersecurity incident in the past and encounter cybersecurity threats from time to time in the ordinary course of business, none to date have had a material adverse effect on our business, financial condition, results of operations or cash flows. Despite our proactive measures, including expanded employee training and enhanced vendor oversight, cybersecurity threats continue to evolve, and no system can be entirely secure. A future cybersecurity incident could materially impact our operations, financial results, or reputation. Risk Management and Strategy As part of our overall risk management framework, our cybersecurity program takes a comprehensive, layered approach to identifying, preventing and mitigating cybersecurity threats and incidents. This includes implementing controls and escalation procedures to ensure that significant incidents are promptly communicated to management for timely decision-making regarding public disclosure and regulatory reporting. We deploy multiple technical safeguards designed to protect our information systems, including firewalls, intrusion prevention and detection systems, anti-malware tools, access controls, and continuous monitoring. These safeguards are evaluated and enhanced through regular vulnerability assessments, penetration testing and ongoing cybersecurity threat intelligence. We maintain formal incident response and recovery plans that define our procedures for addressing cybersecurity incidents. These plans are tested, updated, and refined on a regular basis to ensure readiness. We apply a risk-based approach to managing cybersecurity risks posed by third parties , including vendors, contract research organizations, service providers and other external users of the our systems. This also includes assessing and overseeing risks related to third-party systems that, if compromised, could negatively impact our business operations. Governance The Audit Committee of our Board oversees our risk management process, including the management of risks from cybersecurity threats. Our CIO, Mr. Oren Kochavi, is an accomplished executive with 14 years of experience leading information technology, enterprise systems, information security, and related technology functions. Mr. Kochavi holds an MBA in Business Administration and multiple professional certifications, and is responsible for the day-to-day administration of our cybersecurity program and reports to the Audit Committee on cybersecurity matters. The Audit Committee receives periodic reports and presentations addressing cybersecurity risks, recent developments, evolving standards, results of vulnerability assessments, findings from third-party and independent reviews, current threat intelligence, technological trends, and relevant developments regarding security considerations arising with respect to our peers and third parties. According to our procedures, the Audit Committee is promptly informed of any cybersecurity incident that meets established reporting thresholds and receives ongoing updates until the matter is fully resolved.

Company Information