Spyre Therapeutics, Inc. 10-K Cybersecurity GRC - 2026-02-19

Page last updated on February 19, 2026

Spyre Therapeutics, Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2026-02-19 16:01:23 EST.

Filings

10-K filed on 2026-02-19

Spyre Therapeutics, Inc. filed a 10-K at 2026-02-19 16:01:23 EST
Accession Number: 0001636282-26-000020

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBERSECURITY In the ordinary course of business, we collect, use, store, and transmit digitally confidential, sensitive, proprietary, personal, and health-related information. The secure maintenance of this information and our information technology systems is important to our operations and business strategy. To this end, we have implemented processes using the cybersecurity risk framework published by the NIST designed to assess, identify, and manage risks from potential unauthorized occurrences on or through our information technology systems that may result in adverse effects on the confidentiality, integrity, and availability of these systems and the data residing therein. These processes are managed and monitored by a dedicated information technology team, which is led by our Vice President, Information Technology ("IT"), and include mechanisms, controls, technologies, systems, and other processes designed to prevent or mitigate data loss, theft, misuse, or other security incidents or vulnerabilities affecting the data and maintain a stable information technology environment. Our cybersecurity risk management processes also incorporate the use of automated and data-driven tools provided by third-party vendors to support threat detection, monitoring, and incident response, and are designed to address evolving cybersecurity threats, including those that may be enabled by artificial intelligence. Specific measures include regular penetration and vulnerability testing, data recovery testing, security audits, and ongoing risk assessments. We conduct due diligence on and audits of key technology vendors, contract research organizations (CROs), and other third-party contractors and suppliers. Additionally, we conduct employee training that covers identifying threats (phishing, social engineering), secure practices (strong passwords, multi-factor authentication, safe internet use, data handling), and incident response (reporting procedures), turning employees into the first line of defense through regular, engaging education on topics like malware, remote work security, physical security, cloud security, mobile devices, and social media risks. We also regularly consult with outside advisors and experts. Their assistance helps us assess, identify, and manage cybersecurity risks, anticipate future threats and trends, and understand their potential impact on our risk environment. Our Vice President, IT , who reports directly to our Chief Financial Officer, has over 26 years of experience managing information technology and cybersecurity matters and is certified as a Certified Information Systems Security Professional. Together with other members of our senior leadership team, our Vice President, IT is responsible for assessing and managing cybersecurity risks. We consider cybersecurity, along with other significant risks that we face, within our overall enterprise risk management framework. In the last fiscal year, we have not identified risks from known cybersecurity threats, including as a result of any prior cybersecurity incidents, that have materially affected us, but we face certain ongoing cybersecurity risks that, if realized, are reasonably likely to materially affect us. Additional information on cybersecurity risks we face is discussed in Part I, Item 1A, "Risk Factors". The Board of Directors, as a whole and at the committee level, has oversight for the most significant risks facing us and for our processes to identify, prioritize, assess, manage, and mitigate those risks. The Audit Committee, which is comprised solely of independent directors, has been designated by our Board to oversee cybersecurity risks. The Audit Committee receives regular updates on cybersecurity and information technology matters and related risk exposures from our Vice President, IT, as well as other members of the senior leadership team. The Board also receives updates from management and the Audit Committee on cybersecurity risks on at least an annual basis.

Company Information