Phio Pharmaceuticals Corp. 10-K Cybersecurity GRC - 2026-03-05

Page last updated on March 5, 2026

Phio Pharmaceuticals Corp. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2026-03-05 16:17:45 EST.

Filings

10-K filed on 2026-03-05

Phio Pharmaceuticals Corp. filed a 10-K at 2026-03-05 16:17:45 EST
Accession Number: 0001437749-26-007078

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBERSECURITY We are increasingly dependent on sophisticated software applications and third-party hosted services to conduct our business operations. Our technology environment relies primarily on cloud-based systems operated by, third party providers as well as the systems, networks and technology of our contractors, consultants, vendors and other business partners. 17 Cybersecurity Risk Management Strategy We maintain various information security processes to manage cybersecurity risks designed to support the security , reliability and resilience of our information systems. This program includes a number of safeguards, such as: continuous monitoring for internal and external threats, periodic evaluations of our cybersecurity program, including external reviews, benchmarking against industry standards and practices, periodic penetration testing and phishing simulations and cybersecurity awareness training for all employees. Our cybersecurity risk management processes are integrated into our overall information technology ("IT") processes. As part of our IT process, we identify, assess and evaluate risks impacting our operations across the Company, including those risks related to cybersecurity. The controls and processes employed to assess, identify and manage material risks from cybersecurity threats are implemented and overseen by a managed information technology service provider working in coordination with our management. This provider has more than 20 years of experience in information technology and cybersecurity and holds industry-recognized certifications. The provider is responsible for the day-to-day administration of the cybersecurity program, including monitoring, threat prevention, detection, investigation, response to, and recovery from cybersecurity threats and incidents. The Company does not have a full-time dedicated cybersecurity position in the Company. We use a risk-based approach with respect to our use and oversight of third -party service providers, tailoring processes according to the nature and sensitivity of the data accessed, processed, or stored by each service provider. We use a number of means to assess and manage cyber risks related to our third -party service providers, including conducting due diligence in connection with onboarding new vendors and using contractual provisions to address information security where applicable. In the event of a cybersecurity incident, designated personnel are responsible for assessing the severity and potential impact of the incident, containing and remediating the threat, restoring data and system access as necessary, evaluating related reporting obligations associated with the incident, and performing post-incident analysis and reviews to identify opportunities for program enhancements. We also maintain relationships with a number of third-party service providers, insurance providers, and external legal counsel to assist with cybersecurity incident response and remediation efforts. Although we have experienced phishing attempts during the past three years, we have not experienced any cybersecurity threats or incidents that have materially affected our business strategy, results of operations or financial condition nor are we aware of any such risks that are reasonably likely to have such a material effect. Cybersecurity incidents and threats continue to evolve, and despite our safeguards, we may not be able to anticipate, detect or prevent threats in a timely manner. For additional information, see "Item 1A-Risk Factors- Our business and operations would suffer in the event of a cybersecurity incident." Governance The Audit Committee of our Board is responsible for oversight of the Company's cybersecurity risk management and receives quarterly updates from our management regarding cybersecurity risks, significant cybersecurity incidents and cybersecurity initiatives and strategies. Our management also notifies our Board of significant cybersecurity incidents and provides updates on the incidents as well as cybersecurity risk mitigation activities as appropriate. 18

Company Information