Aquestive Therapeutics, Inc. 10-K Cybersecurity GRC - 2026-03-04

Page last updated on March 4, 2026

Aquestive Therapeutics, Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2026-03-04 16:21:17 EST.

Filings

10-K filed on 2026-03-04

Aquestive Therapeutics, Inc. filed a 10-K at 2026-03-04 16:21:17 EST
Accession Number: 0001398733-26-000018

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity Risk Management and Strategy Aquestive maintains a cybersecurity risk management program designed to identify, assess, and mitigate risks from cybersecurity threats that could materially affect the Company's business operations, financial performance, or the confidentiality, integrity, and availability of Company data and information systems. The Company's cybersecurity program is organized around four pillars-Governance, Process, Compliance, and Audit-and is supported by formal written policies, procedures, and standards, including the Company's Information Technology Policy and Cybersecurity Policy (collectively, the "Cybersecurity Policies") that are assessed and evolving to address advancements in technology including artificial intelligence. The Cybersecurity Policies establish required security controls and requirements relating to, among other things, system access, acceptable use, software acquisition, password management, and network security. The Company also provides cybersecurity training and awareness programs, including training applicable to GxP and non-GxP systems, as required under the Company's Computer Policy. The Company evaluates cybersecurity risk using processes aligned with recognized frameworks and standards, including the NIST CSF, applicable NIST Special Publications (including the 800 and 600 series), and ISO 42001. The Company maintains an Incident Response Plan that is aligned to the NIST incident response lifecycle and is designed to support a consistent approach to cybersecurity events, including preparation, identification, containment, eradication, recovery, and lessons learned. The Company's cybersecurity monitoring activities include, among other things, review of system logs, authentication activity, endpoint security events, and network behavior. These activities are supported by internal resources and a third-party MSSP. The MSSP supports the Company with active threat monitoring, threat intelligence, risk assessment processes, and incident response capabilities intended to enable the Company to assess and address cybersecurity risks that could impact business operations. The Company may also engage other external experts, including cybersecurity assessors, consultants, and auditors , from time to time to evaluate cybersecurity measures and the effectiveness of relevant risk management processes. The Company relies on third parties, including suppliers, vendors, cloud platforms, and other service providers, in connection with its operations. The Company reviews cybersecurity risks associated with third-party relationships and maintains controls designed to restrict unauthorized access and to align with internal policy requirements. While the Company's processes are intended to reduce exposure to cybersecurity threats, no controls can eliminate all risk, and cybersecurity threats and threat actors continue to evolve. Cybersecurity risks are also reviewed as part of the Company's enterprise risk management program. The Company assesses on an ongoing basis the potential impacts of cybersecurity risks and how such risks could materially affect the Company's business strategy, results of operations, or financial condition. During the reporting period, the Company did not identify any cybersecurity threats or incidents, including as a result of previous cybersecurity incidents, that it believes have materially impacted, or are reasonably likely to materially impact, the Company's business strategy, results of operations, or financial condition. Governance Role of Management/ Board The Chief People Officer , together with the broader information technology function, is responsible for assessing and managing the Company's cybersecurity risks and for informing senior management and the Audit Committee regarding cybersecurity risks and the prevention, detection, mitigation, and remediation of cybersecurity incidents. The Chief People Officer reports to the Company's Chief Executive Officer and leads the Company's cybersecurity program. The Chief People Officer has served in this function at the Company for 10 years and has over eleven years of experience in information security strategy and cybersecurity risk management. The Company's internal information technology team has over fifteen years of combined technical, program management, and architecture experience in managing cyber risk and information security. The Company's Cybersecurity Policy and Incident Response Plan assign responsibilities for incident governance, including to the CSIRT, Incident Response Commander, Incident Response Manager, and Incident Handling Team. These documents also establish escalation pathways and decision-making authority during cybersecurity events. The Company's leadership, including the Director of IT and senior executives identified in the incident response governance matrix, are responsible for reviewing cybersecurity risks, approving responses to significant incidents, and ensuring the Company maintains appropriate resources for cybersecurity operations and continuous improvement consistent with the Company's framework-aligned processes. 60 Board Oversight of Cybersecurity Risk The Audit Committee provides oversight of the Company's cybersecurity matters, including risks associated with cybersecurity threats. The IT Officer briefs the Audit Committee quarterly regarding the effectiveness of the Company's cybersecurity program, with a more in-depth review conducted annually.

Company Information