Passage BIO, Inc. 10-K Cybersecurity GRC - 2026-03-03

Page last updated on March 3, 2026

Passage BIO, Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2026-03-03 07:15:58 EST.

Filings

10-K filed on 2026-03-03

Passage BIO, Inc. filed a 10-K at 2026-03-03 07:15:58 EST
Accession Number: 0001104659-26-022549

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity We maintain a cybersecurity risk management program designed to identify, assess, and manage material risks arising from cybersecurity threats. Our program incorporates elements of widely adopted industry cybersecurity frameworks standards and includes processes for threat monitoring, vulnerability and patch management, incident detection and response, security awareness training, and business continuity planning. Our information systems support clinical trial operations, research and development activities, manufacturing collaborations, and corporate functions and include sensitive clinical data, research data, and intellectual property. We conduct periodic risk assessments to evaluate emerging threats and potential impacts to our research, clinical, manufacturing, and corporate systems. These assessments inform our technical and administrative safeguards, which include identity and access controls, network segmentation, encryption, logging, and continuous monitoring. We also maintain an incident response plan and conduct tabletop exercises to evaluate readiness. Risk Management and Strategy As one of the critical elements of the Company's overall risk management and compliance approach, the Company's cybersecurity program is focused on the following key areas: Governance : The board of directors' oversight of cybersecurity risk management is led by the Audit Committee of the board of directors, which regularly interacts with our Chief Compliance Officer, our Chief Financial Officer, and other members of management. Collaborative Approach : We have implemented a comprehensive, cross-functional approach for monitoring, identifying, preventing, detecting, and mitigating cybersecurity threats and incidents, while also implementing controls and procedures that provide for the prompt escalation of cybersecurity incidents so that decisions regarding the public disclosure and reporting of such incidents can be made by management in a timely manner. Administrative Safeguards : We maintain a comprehensive set of administrative safeguards designed to govern the oversight, implementation, and continuous improvement of our cybersecurity program. These safeguards include detailed policies and procedures and ongoing employee training to ensure security is embedded in daily activities. We engage in periodic assessment of our policies, standards, processes and practices that are designed to address cybersecurity threats and incidents. These efforts include a wide range of activities, including audits, assessments, vulnerability testing and other exercises focused on evaluating the effectiveness of our cybersecurity program and corresponding controls. The results of such assessments, audits and reviews are reported to the Audit Committee and the board of directors, and we adjust our cybersecurity policies, standards, processes and practices as necessary based on the insights gained from the assessments, audits and reviews. Technical Safeguards : We maintain a layered set of technical safeguards to protect the confidentiality, integrity, availability, and privacy of our systems and data. Key controls include firewalls, network segmentation, intrusion detection and prevention, multi-factor authentication, encryption, anti-malware, endpoint protection, real-time threat intelligence and mitigation, and 24/7 logging, monitoring, and response. Incident Response and Recovery Planning : We have established and maintain comprehensive incident response and recovery plans to address our response to a cybersecurity incident, and such plans are tested and evaluated on a regular basis. Third-Party Risk Management : We maintain a risk-based approach to identifying and overseeing cybersecurity risks presented by third parties, including vendors, contract research organizations, contract development and manufacturing organizations, technology service providers and other third parties that could adversely impact our business in the event of a cybersecurity incident affecting those third-party systems. Education and Awareness : We provide regular, mandatory training for personnel regarding cybersecurity threats as a means of providing our employees with effective tools to address cybersecurity threats, and to communicate our evolving information security policies, standards, processes and practices. We also perform periodic email phishing tests to keep cybersecurity awareness top of mind. Governance The board of directors, with leadership from the Audit Committee, oversees our cybersecurity risk management process. The Audit Committee receives regular presentations and reports on cybersecurity risks, which address a wide range of topics including recent developments, evolving standards, vulnerability assessments, the threat environment, technological trends and information security considerations arising with respect to our peers and third parties. The board of directors and the Audit Committee also receive prompt and timely information regarding any cybersecurity incident that meets established escalation and materiality thresholds consistent with applicable SEC reporting requirements, as well as ongoing updates regarding any such incident until it has been addressed. On a periodic basis, the board of directors, through the Audit Committee, discuss our approach to cybersecurity risk management with management. Our management team has implemented a program designed to protect our information systems from cybersecurity threats and to promptly respond to any cybersecurity incidents in accordance with our incident response and recovery plans. Through ongoing communications with our entire employee base and appropriate third-party contractors, the management team oversees the prevention, detection, mitigation and remediation of cybersecurity threats and incidents through risk-based monitoring and periodic reporting to the Audit Committee when appropriate. Our enterprise risk management team consists of the Executive team and cross-functional professionals who collaborate with subject matter specialists, as necessary, including an independent third-party expert we have retained to identify and assess material risks from cybersecurity threats, their severity, and potential mitigation steps. Technical experts at our Managed Security Services Provider, or MSSP, also provide technical support and monitoring services under the oversight of management of our Company cybersecurity program, leveraging real-time threat intelligence and mitigation tools . As of the date of this filing, we have not experienced a cybersecurity incident that we have determined to be material to our business, operations, or financial condition. However, we continue to monitor and enhance our cybersecurity capabilities in response to evolving threats.

Company Information