COMPASS Pathways plc 10-K Cybersecurity GRC - 2025-02-27

Page last updated on February 27, 2025

COMPASS Pathways plc reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-02-27 06:28:33 EST.

Filings

10-K filed on 2025-02-27

COMPASS Pathways plc filed a 10-K at 2025-02-27 06:28:33 EST
Accession Number: 0001628280-25-008412

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBERSECURITY We are a clinical-stage biotechnology company and continue to mature as a public company since our initial public offering in 2020. We have developed cybersecurity policies, procedures and practices and an enterprise risk management program designed to align to the nature, size and scale of our business operations and cybersecurity threat profile. Cybersecurity Governance Our board of directors has delegated oversight responsibility for risk management, including cybersecurity risks, to our audit and risk committee , and such responsibilities are set forth in the audit and risk committee’s charter. At routine board meetings, the chair of the audit and risk committee regularly provides a report to the full board on the committee’s oversight activities. As part of our enterprise risk management program, which is overseen by the audit and risk committee, we identify and review risks related to cybersecurity on a regular basis, including risks related to third-party access to our information technology systems. We conduct periodic enterprise risk assessments and report the results to the executive team and the audit and risk committee. Our chief technology officer, with 14 years of experience in information technology, artificial intelligence and software engineering, is responsible for managing and assessing risks related to cybersecurity and data governance. Our chief technology officer is informed about and monitors the prevention, detection, mitigation, and remediation of cybersecurity incidents, through our security incident response process. Our chief technology officer supervises our vice-president of information technology, who has primary operational responsibility for managing the overall cybersecurity posture and strategy, managing internal and external cybersecurity resources and organizing and leading efforts to prevent, detect and respond to cybersecurity incidents and threats. Prior to joining the company, our chief technology officer previously served in various data and technology leadership roles, including most recently as chief data officer at another biotechnology company. Our vice-president of information technology has 25 years of experience in information technology and most recently served as senior director of information technology operations and infrastructure at another biotechnology company . As part of our quarterly disclosure committee process, our chief technology officer discusses with our chief executive officer, chief financial officer and other members of the disclosure committee, any significant cybersecurity issues, including any potential risks related to cybersecurity incidents. Cybersecurity Risk Management Strategy Our cybersecurity risk management program is integrated into our overall enterprise risk management system . We have developed and implemented policies, procedures and practices designed to protect the information and systems that support our operations and assets. In developing our policies and procedures, we were informed by certain industry standards and guidelines. We routinely train our employees on cybersecurity awareness and our information security and data protection policies. We have policies and procedures designed to prevent, detect and respond to cybersecurity incidents or threats. We use industry standard security and monitoring systems that are managed by our internal information technology team with support from third-party IT services firms. We also periodically conduct security testing or hire third-parties to conduct security testing, such as phishing testing and penetration testing. The results of our security testing are reported to our chief technology officer and, when relevant, with the wider executive team. When engaging third-parties, we have procedures and protocols designed to protect our information technology systems and our confidential information. For example, before we grant third-parties access to our information technology systems, we require typically agreements with such third-parties, we ordinarily require such third parties to complete cybersecurity training and we typically require specific contract terms in our agreements with such third-parties. To date, we have not identified any risks from cybersecurity threats, including those resulting from any previous cybersecurity incidents experienced by us or, to our knowledge, by any of our third-party service providers, that have materially affected, or are reasonably likely to materially affect, our business strategy, results of operations, or financial condition. Refer to the risk factor captioned " Our business and operations would suffer in the event of computer system failures, cyber-attacks or deficiencies in our cyber security or cyber security of our collaborators, vendors and other partners. " in Part I, Item 1A. “Risk Factors” for additional description of cybersecurity risks.

Company Information