CRESCENT BIOPHARMA, INC. 10-K Cybersecurity GRC - 2026-02-26

Page last updated on February 26, 2026

CRESCENT BIOPHARMA, INC. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2026-02-26 07:27:21 EST.

Filings

10-K filed on 2026-02-26

CRESCENT BIOPHARMA, INC. filed a 10-K at 2026-02-26 07:27:21 EST
Accession Number: 0001628280-26-011983

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity Cyber Risk Management and Strategy We rely on information technology systems that we or our third-party providers operate to process, transmit and store electronic information in our day-to-day operations. To help protect against risks from cybersecurity threats to these systems, we have implemented cybersecurity processes in accordance with our risk profile and business that are informed by a recognized cybersecurity industry standard. Our cybersecurity risk management process includes a number of components implemented by our Senior Director, Information Technology and external resources, including risk assessments, security monitoring tools, penetration tests and vulnerability assessments, and employee cybersecurity awareness training. We also engage the services of external partners who provide information security services to help maintain our hardware and software, assist with security monitoring on our devices, and help us draft and implement appropriate information security policies. Our cybersecurity risk management program is integrated into our overall enterprise risk management program. As part of our cybersecurity risk management process, we take a risk-based approach to the evaluation of third-party vendors based on the criticality and size of the vendor. This process includes a review by our external partners, as appropriate. Where appropriate, we seek to negotiate contractual terms with certain third-party services providers that impose obligations on such services providers with the goal of protecting our confidential information. When possible, we require service providers to maintain information technology security protections. We have not identified risks from known cybersecurity threats, including as a result of any prior cybersecurity incidents, that have materially affected us, including our operations, business strategy, results of operations, or financial condition. We face risks from cybersecurity threats that, if realized, are reasonably likely to materially affect us, including our operations, business strategy, results of operations, or financial condition. See "Risk Factors - Our internal information technology systems, or those of any of our CROs, manufacturers, other contractors or consultants, third-party service providers, or potential future collaborators, may fail or suffer security or data privacy breaches or other unauthorized or improper access to, use of, or destruction of our proprietary or confidential data, employee data, or personal data, which could result in additional costs, loss of revenue, significant liabilities, harm to our brand, and material disruption of our operations ." Governance Related to Cybersecurity Risks Our cybersecurity risk assessment, management and strategy processes are led by our President and Chief Operating Officer and our Senior Director, Information Technology. Our management team, including our President and Chief Operating Officer and Chief Financial Officer, is responsible for assessing and managing our material risks from cybersecurity threats. The team has primary responsibility for our overall cybersecurity risk management program and supervises both our internal cybersecurity personnel and our retained external cybersecurity consultants. Our Senior Director, Information Technology has over 20 years of experience in various roles involving managing information security, managing privacy and data protection, developing cybersecurity strategy, and implementing cybersecurity programs. The Senior Director, Information Technology, is informed about and monitors the prevention, mitigation, detection and remediation of cybersecurity incidents through management of the cybersecurity risk management and strategy processes described above. Our President and Chief Operating Officer and our Senior Director, Information Technology, meet regularly with representatives from our external partners to, as applicable, review aspects of the Company's cybersecurity processes or evaluate risks from cybersecurity threats. Our management team takes steps to stay informed about and monitor efforts to prevent, detect, mitigate, and remediate cybersecurity risks and incidents through various means, which may include: briefings from internal security personnel; threat intelligence and other information obtained from governmental, public or private sources, including external consultants engaged by us; and alerts and reports produced by security tools deployed in our IT environment. Our Board considers cybersecurity risk as part of its risk oversight function and has delegated to the Audit Committee oversight of cybersecurity risks, including oversight of management's implementation of our cybersecurity risk management program The Audit Committee reviews and discusses, at least annually, the Company's cybersecurity risks, including the Company's information security and risk management programs, controls and procedures, as well as high level review of the threat landscape facing the Company and the Company's strategy to mitigate cybersecurity risks and potential security incidents. The Audit Committee also reviews the recovery and communication plans for any unplanned outage or security incident. The Audit Committee receives periodic updates from management regarding cybersecurity matters and is notified between such updates regarding significant new cybersecurity threats or incidents. The Audit Committee provides updates to the board of directors regarding such oversight.

Company Information