Ocugen, Inc. 10-K Cybersecurity GRC - 2026-03-04

Page last updated on March 4, 2026

Ocugen, Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2026-03-04 11:38:01 EST.

Filings

10-K filed on 2026-03-04

Ocugen, Inc. filed a 10-K at 2026-03-04 11:38:01 EST
Accession Number: 0001628280-26-014435

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity Cybersecurity Risk Management and Strategy We regularly assess, identify, and manage risks from cybersecurity threats as an integral part of our overall enterprise risk management (ERM) program. Our cybersecurity policies, processes, and practices include ongoing monitoring of information systems for vulnerabilities, periodic testing, in-house employee training and case discussions, and the use of advanced security tools designed to detect, prioritize, escalate, investigate, resolve, and recover from incidents in a timely manner. To evaluate how effective our cybersecurity prevention and response mechanisms are, we partner with external organizations such as cybersecurity assessors, consultants, and specialists. Their expertise enables us to pinpoint, confirm, and validate cybersecurity risks, as well as support the creation and implementation of mitigation strategies when required. By utilizing these systems and expert guidance, we can detect threats, determine their severity, and address possible repercussions by preventing breaches and relying on vendors who advise us on optimal risk management practices. These external parties and systems form a crucial part of our enterprise risk management framework for cybersecurity. Additionally, we have established a due diligence protocol to monitor and identify significant risks arising from our relationships with third-party vendors, including those providing cybersecurity services, to ensure we manage all threats related to their involvement appropriately. To date, we have not experienced any cybersecurity incidents that have materially affected, or are reasonably likely to materially affect, our company, including our business strategy, results of operations, or financial condition. Refer to "Item 1A. Risk Factors" in this Annual Report, including the risk factor titled "Our internal computer systems or those of our development collaborators, third-party CDMOs, or other contractors or consultants may fail or suffer cybersecurity incidents, data breaches, or other disruptions, which could result in a material disruption of our product development programs and cause our business and operations to suffer," for additional discussion of cybersecurity-related risks. Cybersecurity Governance Cybersecurity is an important part of our risk management processes. Our Associate Vice President of IT & Facilities is responsible for overseeing the cybersecurity risk management program. He has over 20 years of IT management, cybersecurity, and information governance experience. In order to monitor and appropriately escalate cybersecurity risks (including with respect to cybersecurity incidents), our Associate Vice President of IT & Facilities receives reports on a monthly basis, and more frequently as appropriate, from our third-party cybersecurity vendor. Our Board's role in risk oversight is consistent with our leadership structure, with management having day-to-day responsibility for assessing and managing our risk exposure and our Board actively overseeing the management of our risks both at the Board and Committee level. The Board conducts its risk oversight by receiving reports from each of the Committees and our executive officers regarding our risk identification, risk management, and risk mitigation strategies with respect to areas of potential material risk, including cybersecurity risk. The Board has delegated to the Audit Committee of the Board primary responsibility for overseeing risks from cybersecurity threats. Our Associate Vice President of IT & Facilities briefs the Board of Directors on our cybersecurity risk management program on a quarterly basis, using risk assessment reports from our third-party cybersecurity vendor. The briefing includes discussion of management's actions to identify and detect threats, as well as planned actions in the event of a response or recovery situation.

Company Information