CASSAVA SCIENCES INC 10-K Cybersecurity GRC - 2025-03-03

Page last updated on March 3, 2025

CASSAVA SCIENCES INC reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-03-03 16:20:22 EST.

Filings

10-K filed on 2025-03-03

CASSAVA SCIENCES INC filed a 10-K at 2025-03-03 16:20:22 EST
Accession Number: 0001437749-25-005919

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity Risk Management and Strategy In the normal course of business, we collect and store sensitive information, including proprietary and confidential business information, intellectual property, information regarding clinical and non-clinical trials, sensitive third -party information and employee information. We have processes designed to protect our information systems, data, assets, infrastructure, and computing environments from cybersecurity threats and risks. Our cybersecurity strategy includes the use of managed detection and response services to monitor our network infrastructure and associated endpoints for possible cybersecurity threats. In addition, we use multi-factor authentication, perform periodical penetration testing and other logical, physical and technical controls designed to deter, prevent, mitigate and respond to cybersecurity threats. Further, our information systems include continuous alert plans, and we provide periodical cybersecurity reminders to our employees to emphasizes the importance of adherence to our security policies. We conduct organizational risk assessment, which help management in identifying data assets and recognizing and assessing potential threats, and investigating potential vulnerabilities. We are in the process of reviewing and implementing incremental information technology strategies to mitigate cybersecurity risks and their possible impacts. Risk assessments enable management to make risk management decisions and assign resources to mitigate risk. We also periodically engage third parties to assess the effectiveness of our cybersecurity practices. As of the date of this Annual Report, we do not believe that any past cybersecurity incidents that have been detected have materially affected, or are reasonably likely to materially affect, our business strategy, results of operations, or financial condition. See “Risk Factors - Risks Related to Our Business and Operations” for additional information about the risks to our business associated with cybersecurity or a breach or compromise to our information security systems. Governance Our Director of Information Technology has responsibilities which include preventing and monitoring cybersecurity threats and utilizes the assistance of external vendors in this effort. Our Director of Information Technology regularly reports to senior management regarding the status of our cybersecurity program, emerging cybersecurity threats, long-term cybersecurity investments and strategies, and oversight of our cybersecurity profile. Our full Board of Directors oversees the risk management process for the Company, which includes identifying, assessing and managing enterprise-level risks. The Board administers this oversight function directly through the Board of Directors as a whole, as well as through its standing committees that address risks inherent in their respective areas of oversight. The risk oversight responsibility of the Board of Directors and its committees is supported by the management reporting processes, which are designed to provide visibility to the Board of Directors and to the personnel who are responsible for risk assessment and information about the identification, assessment and management of critical risks, and management’s risk mitigation strategies. Our cybersecurity risk program directly integrates and is intended to align with the Board of Directors’ overall risk management process.

Company Information