ESSA Pharma Inc. 10-K Cybersecurity GRC - 2024-12-17

Page last updated on December 17, 2024

ESSA Pharma Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-12-17 07:00:27 EST.

Filings

10-K filed on 2024-12-17

ESSA Pharma Inc. filed a 10-K at 2024-12-17 07:00:27 EST
Accession Number: 0001558370-24-016318

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity Risk Management and Strategy The Company contracts with third party service providers for its information technology and cybersecurity risk management functions. The Company’s third party cybersecurity provider assesses risks to the Company from cybersecurity threats, monitors its information systems for potential vulnerabilities and tests those systems pursuant to the provider’s cybersecurity standards, processes, and practices. To protect the Company’s information systems from cybersecurity threats, the Company’s third party cybersecurity provider uses various security tools that help the Company identify, escalate, investigate, resolve, and recover from security incidents in a timely manner. These efforts include but are not limited to, timely reporting of cybersecurity incidents to the Company, performing vulnerability testing, using tools and techniques to test security controls, monitoring emerging trends and regulations related to information security, and implementing appropriate changes, as needed, to the Company’s cybersecurity protections. During the third party procurement and contracting process, the Company incorporates due diligence procedures and contract provisions that are designed to align with applicable regulations and industry benchmarks. To date, the Company is not aware of cybersecurity threats, including as a result of any previous cybersecurity incidents, that have materially affected or are reasonably likely to affect the Company, including its business strategy, results of operations or financial condition. Refer to the risk factor captioned " The Company’s business and operations would suffer in the event of computer system failures or security breaches " in Part I, Item 1A. “Risk Factors” for additional description of cybersecurity risks and potential related impacts on the Company. Governance The Company takes a risk-based approach to cybersecurity and has implemented cybersecurity measures throughout its operations that are designed to address cybersecurity threats and incidents. The Company has a Cyber Security Policy (the “Policy”) that includes guidelines and provisions for security measures to help mitigate the Company’s cybersecurity risk. The Policy applies to all Company employees, contractors, volunteers, and anyone who has permanent or temporary access to the company’s systems and hardware (“Covered Persons”). In addition to outlining measures Covered Persons are expected to take to help protect the Company’s information technology and cybersecurity infrastructure, the Policy includes a process for Company employees who identify a cybersecurity risk to report and escalate such risk to the Executive Director of Administration (the “EDA”) for investigation. The Company has implemented a cybersecurity incident response plan that is designed to provide controls and procedures to facilitate timely and accurate reporting of a material cybersecurity incident. The initial impact of each cybersecurity event is evaluated by our third party cybersecurity provider, who would promptly inform the Company’s EDA. If a cybersecurity event meets certain criteria, the EDA escalates it to our management team, including our Chief Executive Officer and Chief Financial Officer. The incident response plan also contains procedures for escalating cybersecurity incidents to the Chairman of the Board and the Audit Committee. The EDA is responsible for managing the Company’s cybersecurity risks. The current EDA has over 15 years of experience in IT oversight. Oversight responsibility for information security matters is shared by the Board (primarily through the Audit Committee) and senior management. The Audit Committee oversees the Company’s cybersecurity and information security program and receives quarterly updates from senior management on cybersecurity and information security matters. The EDA or key members of our management team update the Audit Committee periodically on the cybersecurity landscape, including the status of cybersecurity threats and the Company’s contracts and initiatives related to cybersecurity. 54

Company Information