Acasti Pharma Inc. 10-K Cybersecurity GRC - 2024-06-21

Page last updated on July 16, 2024

Acasti Pharma Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-06-21 07:30:32 EDT.

Filings

10-K filed on 2024-06-21

Acasti Pharma Inc. filed a 10-K at 2024-06-21 07:30:32 EDT
Accession Number: 0000950170-24-075875

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity We are increasingly dependent on third-party provided software applications and computing infrastructure to conduct key operations. We depend on both our own procured systems, networks, and technology as well as the systems, networks and technology of our contractors, consultants, vendors and other business partners. Given the importance of cybersecurity to our business, we maintain a robust cybersecurity program as well as cybersecurity policies and processes to support our controls and our preparedness for treatment of identified information security risks. We also undergo annual evaluations of our cybersecurity program, conducted by our cybersecurity external advisory firm. Our cybersecurity program evaluation identified various risks and issues that we continue to mitigate to further improve our program. This includes: - Establishing a cybersecurity training program for users. - Implementing a third-party risk management program to support our existing Third-Party Risk Management Policy and process to assess the risks associated with our critical third-party vendor engagements. - Testing our Cybersecurity Incident Response Plan. - Establishing additional processes for identifying cybersecurity threats and vulnerabilities within the environment in which we operate. - Enhancing our technical security management safeguards and configurations. Process for Assessing, Identifying and Managing Material Risks from Cybersecurity Threats In the event of a cybersecurity incident, we maintain a Cybersecurity Incident Response Plan. Pursuant to the plan and its escalation protocols, designated personnel are responsible for assessing the severity of an incident and associated threat, containing the threat, remediating the threat, including recovery of data and access to systems, analyzing any reporting obligations associated with the incident, and performing post-incident analysis and program enhancements. We have a relationship with various law firms to assist with advisory on legal aspects of containing incidents and communicating accordingly. Governance Management Oversight The controls and processes employed to assess, identify and manage material risks from cybersecurity threats are implemented and overseen by our information technology (“IT”) contractor. Our IT consultant leverages their over 35 years of experience. Our IT consultant is responsible for the day-to-day management of the cybersecurity program, including the prevention, detection, investigation, response to, and recovery from cybersecurity incidents. Board Oversight While our Board of Directors (the “Board”) has overall responsibility for risk oversight, the Audit Committee of the Board (the “Audit Committee”) oversees cybersecurity risk matters. The Audit Committee is responsible for reviewing, monitoring, reporting and, where appropriate, providing recommendations to the Board regarding compliance with our internal policies and its progress in remedying any material deficiencies, including those related to our security policies, including the physical safeguarding of corporate assets and security of our networks and information systems. The Audit Committee receives quarterly updates regarding the cybersecurity program, including top threats and risks, and updates on the cybersecurity roadmap. Cybersecurity Risks We maintain a Risk Management Policy that governs the process in which we identify cybersecurity risks, and quantify and evaluate their associated impacts and risk levels. A Cybersecurity Risk Register is also leveraged to track identified cybersecurity risks to date and update treatment of such risks accordingly. 46 For additional information, see “Item 1A-Risk Factors.” In the last two reporting years, we did not experience any material cybersecurity incidents or threats.

Company Information