Altimmune, Inc. 10-K Cybersecurity GRC - 2026-03-06

Page last updated on March 6, 2026

Altimmune, Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2026-03-06 07:56:28 EST.

Filings

10-K filed on 2026-03-06

Altimmune, Inc. filed a 10-K at 2026-03-06 07:56:28 EST
Accession Number: 0001326190-26-000018

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity Governance As part of its oversight role, the Audit Committee of our Board is responsible for overseeing cybersecurity risk exposure as well as management's actions to identify, assess, mitigate and remediate cybersecurity threats. The Audit Committee receives quarterly reports from our Chief Financial Officer, Chief Legal Officer and Senior Director of Information Technology regarding our cybersecurity risk programs. Our Chief Legal Officer also provides periodic updates to the Board, addressing the Company's expanded Enterprise Risk Management program and assessments, that include summaries of our cybersecurity risk programs to enable discussion of cybersecurity risk management at the Board level. The Audit Committee annually reviews and recommends our information security policy and program to the Board. The Audit Committee is composed of members with financial expertise as well as one member with a cybersecurity oversight certification. Our Chief Financial Officer has overall responsibility for our cybersecurity and has over 30 years of experience managing information technology, or IT, departments at biotechnology and pharmaceutical companies. Our Chief Legal Officer has over 30 years of experience in federal law enforcement, life sciences legal and compliance programs, risk management and corporate governance responsibilities. Our Senior Director of Information Technology is responsible for the development and implementation of IT department controls, policies, infrastructure, and day-to-day operations, in addition to managing security risk, evaluating safeguards and recommending security improvements, and has over nine years of experience managing IT departments, including with respect to cybersecurity, for a biotechnology company. These individuals are informed of cybersecurity risks on an ongoing basis in part via our utilization of third-party vendors, which we utilize to help strengthen our information security risk management by conducting evaluations of our security controls on at least a quarterly basis. Enterprise Risk Management and Strategy In 2025, the Company established its Enterprise Risk Management ("ERM") program, as part of which the Company periodically reviews and assesses the most significant and likely risks to the enterprise, the strategies the Company has implemented to mitigate such risks, and the likelihood that such risks will occur within a defined period of time. As part of this process, each risk and mitigation is evaluated to determine if any additional steps to address the risk may be warranted. Management shares its ERM assessments on a quarterly basis with the Audit Committee to solicit input and feedback and periodically reports their assessments to the full Board of Directors. The Company's ERM program includes cybersecurity as a component of the broader risks considered and assessed. Our cybersecurity risk management program is comprised of the following components: ● Identifying assets at risk from cybersecurity threats and taking mitigation measures including the implementation of data backup, recovery and restore procedures to address business continuity, as well as through IT controls, policies and infrastructure. ● Identifying potential cybersecurity threats that could disrupt our IT systems, cause a data breach or other incident or compromise data security by implementing several protective measures. ● Conducting periodic assessment of protections to prevent or mitigate cybersecurity threats. ● The Company has processes to oversee and identify risks from cybersecurity threats associated with its use of third-party service providers and vendors. ● Retaining third parties to periodically assess our cybersecurity management program , provide cybersecurity training, perform phishing tests, gap analyses and penetration tests, advise on business continuity plans, and to provide additional support in the event of a cybersecurity incident. While risks from cybersecurity threats or incidents have not materially affected our strategy, results of operations, or financial condition to date, the Chief Financial Officer, Chief Legal Officer and Senior Director of Information Technology work with other groups in the Company to understand the severity of the potential consequences of a cybersecurity incident and to make decisions about how to prioritize mitigation and other initiatives based on, among other things, materiality to the business. All employees and contractors receive cybersecurity training, and we plan to implement additional annual training for all employees and contractors. All trainings are intended to raise awareness of cybersecurity threats in order to reduce our vulnerability as well as to encourage consideration of cybersecurity risks across functions.

Company Information