ANI PHARMACEUTICALS INC 10-K Cybersecurity GRC - 2026-02-27

Page last updated on February 27, 2026

ANI PHARMACEUTICALS INC reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2026-02-27 06:59:42 EST.

Filings

10-K filed on 2026-02-27

ANI PHARMACEUTICALS INC filed a 10-K at 2026-02-27 06:59:42 EST
Accession Number: 0001023024-26-000014

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity Risk management and strategy We rely on information technology systems and various software applications to operate our business. To address cybersecurity risks, we have implemented a comprehensive process for identifying, assessing, and managing material threats, and integrating these measures into our overall risk management framework. Our Security Operations Team and Security Audit/Advisory Team play a key role in this strategy. Our senior leadership team, in collaboration with representatives from the Security Operations Team, as well as the legal, human resources, and finance departments, are responsible for developing and executing the company's overall risk management program, including cybersecurity policies. To enhance security, we have established an Information Security Program with a formal written security and incident response policy. This policy outlines methods for assessing, identifying, and mitigating risks. Our cybersecurity program incorporates multiple security layers, and we engage external security consultants to assess, audit, and monitor our security controls and events. Additionally, we require third-party service providers to implement and maintain appropriate security measures and promptly report any suspected breaches that may impact the Company. We also maintain a cybersecurity insurance policy that is intended to address certain costs that we may incur in the event that we experience a cybersecurity incident. We have invested in relevant tools and technologies to protect our data and business partners. Our Security Operations Team continuously monitors risks specific to us and our industry. We also leverage third-party assessors, consultants, and advisors to enhance our cybersecurity risk assessment and mitigation efforts. To foster a security-conscious culture, we have implemented a cybersecurity awareness program that educates employees on identifying and reporting threats. We conduct periodic phishing campaigns and training sessions to equip employees with the necessary skills to manage and defend against prevalent cybersecurity risks. Additionally, employees in specialized IT roles receive targeted training, including tabletop exercises, among other training. Following our acquisition of Alimera, we prioritized the integration and adoption of consistent policies and procedures related to information security, data privacy, and cybersecurity practices, with a strong focus on aligning security and privacy standards across our organization. We continuously update and improve our cybersecurity program through independent assessments, penetration testing, and system vulnerability scanning. Our security framework follows a hybrid approach, incorporating best practices from the Center for Internet Security framework and incorporating relevant standards from the National Institute of Standards and Technology Cybersecurity framework. We also undergo an annual third-party assessment to evaluate the maturity of our cybersecurity program. Additionally, we periodically engage external advisors to assess our program's effectiveness, strengthen policies, and identify potential vulnerabilities. Our Security Operations Team led by a VP of Technology, collaborates regularly with IT network teams and other management stakeholders to review and address cybersecurity risks and opportunities. We have a global incident response plan with defined incident management protocols, escalation timelines, and responsibilities among other policies to manage data and its risks. As of the date of this Annual Report on Form 10-K, we have not identified any cybersecurity incidents that have materially affected affect our business strategy, results of operations or financial condition, or are reasonably likely to materially affect the Company, including any cybersecurity incidents involving our vendors' facilities or systems. Please refer to " We rely significantly on information technology and any failure, inadequacy, interruption, or security lapse of that technology, including any cybersecurity incidents, could harm our ability to operate the business effectively. " in Item 1A of this Annual Report on Form 10-K. Governance Our Board of Directors, with delegation to the Audit Committee, as appropriate, retains oversight of the Company's cybersecurity risks. The senior leadership team led by our VP of Technology provides periodic reports to our Board of Directors, as well as the Chief Executive Officer and Audit Committee as necessary . The current VP of Technology has more than 20 years of experience in cybersecurity, while possessing the required subject matter expertise, skills, experience, and industry certifications expected of an individual assigned to these duties. In addition, we have contracted with certified security experts that act as an extension of the internal information technology team for all security related items. These communications include potential risks facing the Company, assessments and evaluations of our cybersecurity environment, results of internal controls testing, and reports on our on-going initiatives to strengthen our cybersecurity framework.

Company Information