Dyne Therapeutics, Inc. 10-K Cybersecurity GRC - 2026-03-02

Page last updated on March 2, 2026

Dyne Therapeutics, Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2026-03-02 07:20:55 EST.

Filings

10-K filed on 2026-03-02

Dyne Therapeutics, Inc. filed a 10-K at 2026-03-02 07:20:55 EST
Accession Number: 0001193125-26-084178

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity. Overview We recognize the importance of identifying, assessing and managing material risks associated with cybersecurity threats. Cybersecurity considerations are integrated into our enterprise risk management framework and are designed to protect our information systems, safeguard confidential information (including employee and patient information), and support the continuity of our business operations. Our program is informed by industry-standard security and risk management practices and is designed to evolve with changes in our threat environment and regulatory requirements. Risk Management and Strategy 127 We maintain processes, technologies and controls intended to prevent, detect, and respond to cybersecurity threats and to manage material risks arising from such threats. These activities include: Risk Assessment & Monitoring We conduct periodic cybersecurity risk assessments and maintain continuous monitoring of our environment, informed by internal processes and by third-party service providers . We engage independent cybersecurity firms to perform internal and external penetration testing. We also maintain 24x7 Network Operations Center, or NOC, and Security Operations Center, or SOC, monitoring and support services through outsourced providers. Access to Management & Technical Controls We utilize access controls, including multifactor authentication, to reduce risks of unauthorized access. Third-party access to our systems is provisioned using the principle of least privilege and/or role-based access, as appropriate. Incident Response & Resilience We maintain an incident response plan that addresses triage, severity assessment, investigation, escalation, containment, remediation, and compliance with potentially applicable legal obligations and contractual requirements. We periodically test our incident response procedures, including tabletop exercises with IT and security personnel, key internal stakeholders, and external partners. We also periodically test our disaster recovery plans to support business continuity and preparedness for disaster recovery incidents. Third-Party & Supply Chain Risk We assess cybersecurity risks associated with third-party service providers- including those in our supply chain and those with access to our systems or to employee or patient data-through initial due diligence and periodic reassessments based on risk tiering. We incorporate security requirements into applicable agreements and monitor certain higher-risk providers on an ongoing basis. Third-party risks are integrated into our broader risk management processes. Policies, Training & Awareness We conduct annual policy re-training for all employees covering data protection, breach reporting and data classification. We provide periodic cybersecurity awareness training on topics such as social engineering, phishing, password protection, confidential data handling and acceptable use. We also conduct regular simulated phishing tests to reinforce awareness and reporting. Regulatory Monitoring We monitor evolving cybersecurity threats and applicable data protection and privacy laws and regulations and update our processes to maintain compliance and resiliency. Insurance We maintain cybersecurity risk insurance intended to cover certain costs and liabilities associated with cybersecurity incidents, subject to customary retentions, limits and exclusions. Insurance coverage may not be available for all potential losses. Governance Board Oversight The Audit Committee of the Board of Directors is responsible for oversight of our cybersecurity risk assessment, risk management and incident response procedures. The Audit Committee receives periodic updates from management on cybersecurity threat trends, our risk management and strategy processes, significant developments, and preparedness activities, and it provides updates to the full Board. Members 128 of the Board regularly engage with management on cybersecurity developments and discuss updates to our cybersecurity risk management and strategy programs. In addition, we maintain two management-level governance bodies that provide cross-functional oversight and escalation pathways: - An AI Governance Committee, which meets periodically to review risks associated with the development and use of artificial intelligence technologies across the company; and - A Security and Privacy Governance Committee, a cross-functional team of leaders that meets periodically to review internal and external security and privacy risks and to coordinate controls, compliance activities and remediation priorities. These committees inform management's reporting to the Audit Committee and facilitate timely escalation of relevant matters. Management's Role and Expertise Our cybersecurity risk assessment, management and strategy processes are led by our Vice President , Head of Technology, a Certified Information Security Manager with over 20 years of experience in information security, privacy, cybersecurity strategy and program implementation . The Vice President oversees prevention, mitigation, detection and remediation activities and is responsible for our incident response plan and escalation processes. Management is supported by internal and external specialists, including a Senior Engineer for Information Security, who reports to the Vice President and holds a master's degree in cybersecurity, and by outsourced 24x7 NOC and SOC providers that deliver continuous monitoring and support. Incident severity thresholds and defined escalation criteria govern reporting to senior leadership and the Audit Committee. Incident Response, Business Continuity and Disaster Recovery Our incident response plan coordinates internal and third-party activities to prepare for, respond to and recover from cybersecurity incidents. These activities include identification, triage and severity assessment; investigation and containment; eradication and remediation; and post-incident lessons learned. As appropriate, we address notification and other legal or contractual obligations. We conduct tabletop exercises involving IT and security personnel, key business stakeholders and external partners to evaluate and improve our effectiveness, and we periodically test disaster recovery plans to help ensure operational resilience. Third-Party Risk Management We evaluate cybersecurity risks associated with third-party service providers through initial due diligence and periodic reassessments . For providers with access to sensitive data or critical systems, we require adherence to defined security standards and contractual obligations and apply least-privilege and/or role-based access controls. We perform ongoing monitoring of certain higher-risk providers and integrate third-party risks into our enterprise risk management processes. Material Impacts from Cybersecurity Threats Based on our assessments using the processes described above, we have not identified any cybersecurity incidents that have had a material impact on our business strategy, results of operations or financial condition. However, cybersecurity threats continue to evolve and could materially affect us in the future. Additional information about risks related to cybersecurity and privacy is included in Item 1A. Risk Factors, which should be read in conjunction with this Item 1C. We intend to comply with applicable reporting obligations regarding any material cybersecurity incidents. Ongoing Program Evolution 129 We continue to evaluate and enhance our cybersecurity capabilities- including governance, controls, monitoring, training, third-party risk management and resilience measures- as the threat landscape and regulatory requirements evolve. No cybersecurity program can eliminate all risk, and there can be no assurance that our controls will prevent or mitigate all cybersecurity events or their potential impacts.
Item 1C. We intend to comply with applicable reporting obligations regarding any material cybersecurity incidents. Ongoing Program Evolution 129 We continue to evaluate and enhance our cybersecurity capabilities- including governance, controls, monitoring, training, third-party risk management and resilience measures- as the threat landscape and regulatory requirements evolve. No cybersecurity program can eliminate all risk, and there can be no assurance that our controls will prevent or mitigate all cybersecurity events or their potential impacts.

Company Information