KalVista Pharmaceuticals, Inc. 10-K Cybersecurity GRC - 2024-07-11

Page last updated on July 16, 2024

KalVista Pharmaceuticals, Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-07-11 16:11:22 EDT.

Filings

10-K filed on 2024-07-11

KalVista Pharmaceuticals, Inc. filed a 10-K at 2024-07-11 16:11:22 EDT
Accession Number: 0000950170-24-082965

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity. Risk Management & Strategy: We have developed and implemented a cybersecurity risk management program intended to protect the confidentiality, integrity, and availability of our critical systems and information with the aim to continually improve security to keep pace with the evolving cyber threat landscape. Our strategy toward managing cybersecurity risk in our business is informed by and aligned with the core principles and methods outlined within the National Institute of Standards and Technology (“NIST”) Cybersecurity Framework, while including elements of the International Organization for Standardization’s ISO/IEC 27001 publication and industry best practices. This does not mean that we seek to meet any particular technical standards, specifications, or requirements, only that we intend to use the NIST CSF or ISO 27001, and other resources as guides to help us identify, assess, and manage cybersecurity risks relevant to our business. Inclusive in these frameworks and our program are components for continuous improvement through feedback, self-review and external testing. Our cybersecurity program leverages people, processes and technology to identify and respond to cybersecurity threats in a timely manner. As part of our cybersecurity program, we maintain various protections designed to safeguard against cyberattacks, including but not limited to firewalls, endpoint detection and response, anti-malware, immutable backups, multi-factor authentication schemes, data encryption, and security system information event monitoring to detect and respond quickly to any emergent threats. In addition, we periodically conduct intrusion and penetration testing through third parties to evaluate our cybersecurity response capability. We also maintain a security awareness program with mandatory semi-annual training content and perform automated e-mail based phishing tests. Results of testing help to inform and provide continuous improvement of our security awareness training materials, approaches and strategies. We routinely communicate with employees about the potential for cybersecurity threats, including the latest adversary trends and social engineering techniques, and how to avoid them, and the best use of our established communications channels. We perform a formal cybersecurity risk assessment each year. As part of our risk assessment, we consider the potential for cybersecurity threats, including but not limited to interruptions, outages and breaches to our operational and financial systems. We have policies, processes, internal controls and tools to assess, identify, and manage material risks from potential cybersecurity threats. We engage third-party service providers, with significant information technology and cybersecurity experience, to assist with designing, implementing and managing our information technology infrastructure and cybersecurity program. In addition, we engage external third-party information security consultants to periodically conduct information security testing and assessments designed to identify, assess, and manage cybersecurity risks, and to evaluate our overarching information security program and specific incident response procedures. We perform diligence on our vendors and prospective vendors regarding their cybersecurity posture. Although we continue to invest in this diligence regarding our critical vendors, our control over the security posture of our vendors is limited, and there can be no assurance that we can prevent or significantly mitigate the risk of any compromise or failure in the information assets owned or controlled by such vendors. Governance: The Director of IT is responsible for implementing and maintaining the information security program. The Director of IT role is currently held by an individual who has over 20 years of experience in enterprise-level IT operations and management, cybersecurity operations and management and IT/Cyber architecture and strategy. The Director of IT reports to our VP of Finance, who together are responsible for coordinating information security risk assessments and overseeing periodic testing of our cybersecurity controls. Our VP of Finance meets with the Audit Committee of our board of directors periodically for the audit committee to provide guidance on the prioritization of the risk remediation and ongoing implementation of cybersecurity improvements across our organization. The Director of IT engages with our managed service providers to proactively address emerging threats based on industry reports and respond to any threats and incidents. Our managed service providers also provide continuous support and coverage of our environment. We utilize threat intelligence services from multiple organizations, allowing us to proactively respond to emerging cybersecurity threats. 50 Our board of directors considers cybersecurity risk part of its risk oversight function and has delegated to the Audit Committee of our board of directors oversight of cybersecurity and other information technology risks. The Audit Committee oversees management’s implementation of our cybersecurity risk management program. The relevant members of management regularly update the Audit Committee with respect to cybersecurity risk, also on an ad-hoc basis as necessary, regarding any material cybersecurity incidents and any incidents with lesser impact potential. The Audit Committee periodically reports to the full board of directors regarding its activities, including those related to cybersecurity. As of the date of this report, we are not aware of any material risks from cybersecurity threats that have materially affected or are reasonably likely to materially affect the Company, including our business strategy, results of operations, or financial condition. However, we are subject to various cybersecurity risks that may adversely affect our business, financial condition and results of operations. See Item 1A. Risk Factors, " Our business and operations would suffer in the event of system failures, cyberattacks or a deficiency in our cybersecurity " for further discussion.

Company Information