Aldeyra Therapeutics, Inc. 10-K Cybersecurity GRC - 2025-02-28

Page last updated on March 3, 2025

Aldeyra Therapeutics, Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-02-28 16:36:59 EST.

Filings

10-K filed on 2025-02-28

Aldeyra Therapeutics, Inc. filed a 10-K at 2025-02-28 16:36:59 EST
Accession Number: 0000950170-25-030102

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBERSECURITY All companies utilizing technology are subject to threats of breaches of cybersecurity. To mitigate the threat to our business and address regulatory requirements, we take a comprehensive approach to cybersecurity risk management and have developed and implemented a cybersecurity risk management program intended to protect the confidentiality, integrity, and availability of our critical systems and information. We continue to make proactive and strategic investments to augment the capabilities of our people, processes, and technologies in order to address our cybersecurity risks . Our cybersecurity risks, and the controls designed to mitigate those risks, are imbedded into our overall risk management governance and are reviewed at least annually by the Audit Committee of our board of directors. Risk Management and Strategy We have implemented a set of comprehensive cybersecurity and data protection policies and procedures. Our employees and contractors receive regular cybersecurity awareness trainings, including specific topics related to social engineering and email fraud. We have engaged consultants with significant expertise and certifications in cybersecurity related to our industry. For continuous cybersecurity monitoring across our information technology environment, we have invested in advanced technologies that are designed to prevent, detect, and minimize cybersecurity attacks, as well as alert management of such attacks. Our information security policy is based on recognized industry standards and cover areas such as risk management, data backup, and data recovery. We engage consultants and IT managed service providers (IT MSP), to help us design and implement our cybersecurity policies and procedures. IT MSP assist us with monitoring security threats and vulnerabilities and responding to identified cybersecurity incidents , including prompt escalation and timely communication of major security incidents to senior business leadership and the Audit Committee. We conduct cybersecurity penetration testing as warranted to identify and remediate cybersecurity gaps. Primary responsibility for assessing, monitoring, and managing our cybersecurity risks rests with our current IT consultants and IT MSP, who report to our Chief Development Officer. We evaluate each third-party service provider to verify the ability to implement and maintain appropriate security measures, consistent with all applicable laws, to implement and maintain reasonable security measures, and to promptly report any suspected breach of security measures that may affect the Company. Governance Our Board of Directors and Audit Committee are responsible for overseeing our cybersecurity risk management and strategy. Our Chief Development Officer periodically meets with our IT consultants and IT MSP about ongoing compliance and risk management, and our Chief Executive Officer provides periodic briefings to the Audit Committee regarding our cybersecurity risks and activities , including any recent cybersecurity incidents and related responses, cybersecurity systems testing, activities of third parties, and the like. Cybersecurity Threat Disclosure There can be no guarantee that our policies and procedures will be properly followed in every instance or that those policies and procedures will be effective. Although our “Risk Factors” in Item 1A include further detail about the material cybersecurity risks we face, to date, we are not aware of any cybersecurity threats that have materially affected our business. We can provide no assurance that there will not be incidents in the future or that they will not materially affect us, including our business strategy, results of operations, or financial condition. 86

Company Information