Vera Therapeutics, Inc. 10-K Cybersecurity GRC - 2026-02-26

Page last updated on February 26, 2026

Vera Therapeutics, Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2026-02-26 17:25:11 EST.

Filings

10-K filed on 2026-02-26

Vera Therapeutics, Inc. filed a 10-K at 2026-02-26 17:25:11 EST
Accession Number: 0001193125-26-077442

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity Risk management and strategy We have developed, implemented and maintained a cybersecurity risk management program, designed to align with the National Institute of Standards and Technology Cybersecurity Framework 2.0 (NIST CSF 2.0), including various information security processes, designed to protect the confidentiality, integrity, and availability of our critical computer networks, third-party hosted services, communications systems, hardware and software, and our critical data, including intellectual property, confidential information that is proprietary, strategic or competitive in nature, and sensitive personal data, including that of our employees, consultants and clinical trial participants (Information Systems and Data). Our cybersecurity risk management program is integrated into our overall risk management processes, and shares common methodologies, reporting channels and governance processes that apply across the risk management program to other legal, compliance, strategic, operational, and financial risk areas. For example, our Cybersecurity Risk Management Committee evaluates material risks from cybersecurity threats against our overall business objectives and reports to the audit committee of the board of directors, which evaluates our overall enterprise risk. Depending on the environment and system, we implement and maintain various technical, physical, and organizational measures, processes, standards and policies designed to manage and mitigate material risks from cybersecurity threats to our Information Systems and Data. Key elements of our cybersecurity risk management program include but are not limited to the following: - a cybersecurity incident response plan that includes procedures for responding to cybersecurity incidents, and additional cybersecurity policies, including an information security program and acceptable use policy; 91 - risk assessments of certain environments and systems designed to help identify material risks from cybersecurity threats to our critical systems and information; - a security team principally responsible for managing (1) our cybersecurity risk assessment processes, (2) our security controls, and (3) our response to cybersecurity incidents; - the use of external service providers, where appropriate, to assess, test or otherwise assist with aspects of our security processes; - cybersecurity awareness training of our employees, including incident response personnel and senior management; - a third-party risk management process for key service providers based on our assessment of their criticality to our operations and respective risk profile; and - various other measures, including incident detection and response tools, encryption of certain data, network security for certain environments and systems, access controls for certain environments and systems, data segregation of certain data; physical security, asset management, third-party systems monitoring and cybersecurity insurance. Additionally, we use third-party service providers to assist us from time to time to identify, assess, and manage material risks from cybersecurity threats, including for example professional services firms, such as legal counsel, cybersecurity consultants, forensic investigators, and cybersecurity software providers. We use third-party service providers to perform a variety of functions throughout our business, such as software application providers, hosting companies, and contract research organizations. Depending on the nature of the services provided, the sensitivity of the Information Systems and Data at issue, and the identity of the provider, our vendor management process may involve different levels of assessment designed to help identify cybersecurity risks associated with a provider, including reviewing security questionnaires and imposing contractual obligations related to cybersecurity on the provider. We have not identified risks from known cybersecurity threats, including as a result of any prior cybersecurity incidents, that have materially affected us, including our operations, business strategy, results of operations, or financial condition. We face risks from cybersecurity threats, including as a result of any prior cybersecurity incidents, that, if realized, are reasonably likely to materially affect us, including our operations, business strategy, results of operations, or financial condition. See our risk factors under Part 1. Item 1A. Risk Factors in this Annual Report, including the section titled " Risk Factors-General risk factors-If our information technology systems, or those of any of our third-party partners (such as contract research organizations and clinical trial sites), or our data are or were compromised, we could experience adverse consequences resulting from such compromise, including but not limited to regulatory investigations or actions; litigation; fines and penalties; disruptions of our business operations; reputational harm; additional costs; loss of revenue or profits; and other adverse consequences. " Cybersecurity Governance Our board of directors considers cybersecurity risk as part of its general oversight function and has delegated to the audit committee oversight of cybersecurity risks, including oversight of management's implementation of our cybersecurity risk management program, such as oversight of mitigation of risks from cybersecurity threats. The Cybersecurity Risk Management Committee monitors and evaluates our threat environment and risk profile using various methods including, for example: manual and automated tools in certain environments and systems, subscribing to reports and services that identify certain cybersecurity threats, conducting scans of certain threat environments, evaluating certain cybersecurity threats reported to us, conducting internal and external audits of certain environments and systems, and performing third-party threat assessments. The audit committee receives periodic reports from management concerning our cybersecurity threats and risks and the processes we have implemented to address them, including during audit committee meetings and other periodic updates. These reports are provided by members of our management team responsible for such reporting, including the Cybersecurity Risk Management Committee. In addition, management updates the audit committee, where it deems appropriate, regarding the cybersecurity incidents it considers to be significant. The audit committee reports to the full board regarding its activities, including those related to cybersecurity. The full board also regularly receives briefings from management on our cyber risk management program. Board members receive presentations on cybersecurity topics from internal security staff or external experts as part of the board's continuing education on topics that impact public companies. Our management team, including the Chief Operating Officer, Vice President of Information Technology, Senior Vice President of Legal, and the Head of Cybersecurity, is responsible for assessing and managing our material risks from cybersecurity threats. The team has primary responsibility for our overall cybersecurity risk management program and supervises both our internal cybersecurity personnel and our retained external cybersecurity consultants. Our management team's experience includes over 29 years of experience in cybersecurity and information technology matters for our Vice President of Information Technology, including multiple senior information technology leadership roles supervising cybersecurity teams and establishing cybersecurity risk assessment 92 programs in the biotech industry and 28 years of cybersecurity experience for our Head of Cybersecurity, including multiple senior cybersecurity roles. The Chief Operating Officer is responsible for hiring appropriate personnel and third-party vendors, communicating key priorities to relevant personnel, and, in concert with members of the Cybersecurity Risk Management Committee, helping to integrate cybersecurity risk considerations into our overall risk management strategy. Our Chief Operating Officer, Vice President of Information Technology and Senior Vice President of Legal, in consultation with our third-party information technology team, is responsible for maintaining cybersecurity-related budgets, helping prepare for cybersecurity incidents, approving cybersecurity processes, and reviewing security assessments and other security-related reports. Our incident response plan is designed to escalate certain cybersecurity incidents to members of management depending on the circumstances, including the Cybersecurity Risk Management Committee . This group works with our incident response team to help us mitigate and remediate cybersecurity incidents of which they are notified. In addition, our incident response plan includes reporting to the audit committee of the board of directors for certain cybersecurity incidents. Our management team takes steps to stay informed about and monitor efforts to prevent, detect, mitigate, and remediate cybersecurity risks and incidents through various means, which may include: briefings from internal security personnel; threat intelligence and other information obtained from governmental, public or private sources, including external consultants engaged by us; and alerts and reports produced by security tools deployed in our information technology environment.

Company Information