OCULAR THERAPEUTIX, INC 10-K Cybersecurity GRC - 2026-02-05

Page last updated on February 5, 2026

OCULAR THERAPEUTIX, INC reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2026-02-05 07:58:16 EST.

Filings

10-K filed on 2026-02-05

OCULAR THERAPEUTIX, INC filed a 10-K at 2026-02-05 07:58:16 EST
Accession Number: 0001104659-26-010664

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity We have certain processes for identifying, assessing and managing cybersecurity risks, which are built into our overall risk management program and are designed to help protect our people, technology, products, information and operations from internal and external cyber threats and to protect the information of employees, customers, vendors, and other individuals, such as subjects enrolled in our clinical trials, from unauthorized access or attack, as well as secure our networks and systems. Our cybersecurity program is built upon, and we periodically assess our processes against, the National Institute of Standards and Technology, or NIST, Cybersecurity Framework (CSF) 2.0, or the NIST Framework. This does not imply that we meet any particular technical standards, specifications, or requirements of the NIST Framework, but rather only that we use these standards as a guide to help us mature our security posture in order to identify, assess, and manage cybersecurity risks relevant to our business. Our processes for identifying, assessing and managing cybersecurity risks include physical, procedural and technical safeguards, a cybersecurity incident response plan, regular tests on our systems, incident simulations and routine review of our policies and procedures to identify risks and improve our practices. We engage certain external parties, including information technology security firms, to assist us with the identification, verification, and validation of cybersecurity risks, and to support mitigation efforts if necessary. We consider the internal risk oversight programs of third-party service providers before engaging them in order to help protect us from any related vulnerabilities. We do not believe that there are currently any known risks from cybersecurity threats that are reasonably likely to materially affect us or our business strategy, results of operations or financial condition. The Audit Committee of our board of directors provides direct oversight over cybersecurity risk and provides updates to the board of directors regarding such oversight as deemed necessary. The Audit Committee receives periodic updates from management regarding cybersecurity matters and is notified between such updates regarding significant new cybersecurity threats or incidents. Our management team is responsible for day-to-day assessment and management of cybersecurity risks. On our management team, our Chief Financial Officer and Chief Operating Officer , or CFO and COO , leads the operational oversight of company-wide cybersecurity strategy, policy, standards and processes and works across relevant departments to assess and help prepare us and our employees, customers, vendors and other individuals to address cybersecurity risks. Our CFO and COO has more than eleven years of experience managing information technology teams of operating companies in the biotechnology industry. Our CFO and COO has implemented and maintains a formal cybersecurity program which is led by our Director of IT Cybersecurity who has over fifteen years of offensive and defensive cybersecurity experience with departments of the U.S. government, international alliances and small to large biopharmaceutical companies. We collaborate with a third party that provides virtual Chief Information Security Officer, or Virtual CISO, services to further support our cybersecurity program. Collectively, the individuals involved in our cybersecurity team and the Virtual CISO have notable experience in managing information security, possess the education and skills to fulfill these duties, and attend periodic trainings as necessary . During our CFO and COO's temporary medical leave of absence, our Director of IT Cybersecurity reports to our management team through our interim CFO , who has 10 years of experience implementing and managing enterprise resource planning, or ERP, systems and cybersecurity policies in the biotechnology industry. In an effort to deter and detect cyber threats, we provide all employees, including part-time and temporary employees, with periodic security-awareness training, including training related to cybersecurity threats, which covers timely and relevant topics such as, but not limited to, threats from artificial intelligence, social engineering, phishing, password protection and mobile security, and educates employees on the importance of reporting all incidents immediately. We also use technology-based tools to mitigate cybersecurity risks and to bolster our employee-based cybersecurity programs.

Company Information