Kura Oncology, Inc. 10-K Cybersecurity GRC - 2025-02-28

Page last updated on March 3, 2025

Kura Oncology, Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-02-28 16:01:36 EST.

Filings

10-K filed on 2025-02-28

Kura Oncology, Inc. filed a 10-K at 2025-02-28 16:01:36 EST
Accession Number: 0000950170-25-029975

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity. Risk Management and Strategy We have implemented and maintain various information security processes designed to identify, assess and manage material risks from cybersecurity threats to our critical computer networks, third party hosted services, communications systems, hardware and software, and our critical data, including intellectual property, confidential information that is proprietary, strategic, financial, or competitive in nature, information related to our clinical trials and preclinical studies and information of our employees, or Information Systems and Data. Our Information Technology, or IT, department identifies and assesses risks from cybersecurity threats by monitoring and evaluating our threat environment using various methods including, for example, manual and automated tools, subscribing to and analyzing reports and services that identify cybersecurity threats and threat actors, evaluating threats that are reported to us, using external intelligence feeds, engaging in internal and external audits, and engaging third parties to conduct threat assessments. Depending on the environment, we implement and maintain various technical, physical, and organizational measures, processes, standards and policies designed to manage and mitigate material risks from cybersecurity threats to our Information Systems and Data, including, for example, a disaster recover/business continuity plan and information security policy, encrypting certain data, data segmentation, network security controls, access and physical security controls, asset management, tracking and disposal, systems monitoring, employee training, maintaining cyber insurance and using third party threat detection software. The head of our IT department, who has more than 25 years of experience in IT and more than 15 years of experience in cybersecurity for public companies, reports to our Chief Operating Officer and works with management to prioritize our risk management processes and mitigate cybersecurity threats that are more likely to lead to a material impact to our business. We have established an Incident Review Team, which consists of representatives of our Finance, IT and Legal departments, to investigate, evaluate and respond to cybersecurity incidents. The Incident Review Team is responsible for escalating confirmed cybersecurity incidents to a Materiality Assessment Team, consisting of members of management. The Materiality Assessment Team is responsible for reporting cybersecurity incidents to the audit committee of the board of directors , as appropriate based upon the nature of the incident (or series of incidents). We use third-party service providers to assist us from time to time to identify, assess, and manage material risks from cybersecurity threats, including for example threat intelligence service providers, cybersecurity software, and darkweb monitoring services. We also use third-party service providers to perform a variety of functions throughout our business, such as application providers, hosting companies, CROs and contract manufacturing organizations. Depending on the nature of the services provided, the sensitivity of the Information Systems and Data at issue, the access to be provided to such Information Systems and Data, and the identity of the provider, our vendor due diligence involves different levels of assessment of systems and controls designed to help identify cybersecurity risks associated with a provider. In addition, we may impose contractual obligations related to cybersecurity on the provider. For a description of the risks from cybersecurity threats that may materially affect us and how they may do so, see our risk factors under Part 1. Item 1A. Risk Factors in this Annual Report on Form 10-K, including " If our information technology systems, or those of third parties with whom we work, or our data are or were compromised, we could experience adverse consequences resulting from such compromise, including but not limited to regulatory investigations or actions; litigation; fines and penalties; disruptions of our business operations; reputational harm; loss of revenue or profits; and other adverse consequences . " Governance Our cybersecurity risk assessment and management processes are implemented and maintained by certain company management, including the head of our IT department. The head of IT is responsible for integrating cybersecurity risk considerations into our overall risk management strategy, helping prepare for cybersecurity incidents, approving cybersecurity processes, and reviewing security assessments and other security-related reports. 78 Our cybersecurity incident response policy is designed to escalate certain cybersecurity incidents to our Materiality Assessment Team, comprised of members of management. In addition, our cybersecurity incident response policy includes reporting to the audit committee of the board of directors for certain cybersecurity incidents. Our board of directors addresses our cybersecurity risk management as part of its general oversight function. The board of directors’ audit committee is responsible for overseeing our cybersecurity risk management processes, including oversight and mitigation of risks from cybersecurity threats. The audit committee receives regular reports from the head of our IT department concerning the measures we have taken to monitor and evaluate our cybersecurity threat environment and any cybersecurity incidents that have occurred.

Company Information