Aquestive Therapeutics, Inc. 10-K Cybersecurity GRC - 2025-03-05

Page last updated on March 5, 2025

Aquestive Therapeutics, Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-03-05 16:29:07 EST.

Filings

10-K filed on 2025-03-05

Aquestive Therapeutics, Inc. filed a 10-K at 2025-03-05 16:29:07 EST
Accession Number: 0001628280-25-010506

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity Risk Management and Strategy Aquestive’s cybersecurity program is built on four key pillars: Governance, Process, Compliance and Audit. While we face risks from cybersecurity threats that could have a material adverse effect on our business, financial condition, and results of operations, Aquestive’s cybersecurity program is built upon a set of policies, procedures, and standards supported by training and awareness. In addition, cybersecurity risks are also reviewed as part of our overall Enterprise Risk Management program. The cybersecurity team has significant experience in managing cybersecurity programs and has engaged with a MSSP to deploy state of the art cybersecurity technologies and gather threat intelligence and cyber risk trends. The cybersecurity program is executed with the MSSP, which provides active threat monitoring, risk assessment and incident response capabilities to timely assess and address any material cyber risk that could impact our business operations. On occasion, we engage other external experts, including cybersecurity assessors, consultants, and auditors to evaluate cybersecurity measures and risk management processes, including those applicable to Aquestive. We depend on and engage various third parties, including suppliers, vendors, and service providers, to operate. We rely on the expertise of our risk management, legal, information technology, and compliance personnel, as well as our MSSP, when identifying and overseeing risks from cybersecurity threats associated with our use of such entities. Governance Role of Management/Board The Senior Vice President of Information Technology (the “IT Officer”), along with the broader Information Technology function, is responsible for assessing and managing Aquestive’s cybersecurity risk and informing senior management and the Audit Committee of the Board regarding cybersecurity risks and the prevention, detection, mitigation, and remediation of cybersecurity incidents. The IT Officer reports to the Chief Executive Officer and leads our cybersecurity program. Our IT Officer has been responsible for this function at Aquestive for 10 years and has over eleven years of experience in information security strategy and the management of cybersecurity risk. The internal Aquestive IT team has over fifteen years of technical experience, program management and architecture experience in managing cyber risk and information security. The Audit Committee of the Board provides strategic oversight of Aquestive’s cybersecurity matters, including risks associated with cybersecurity threats . The IT Officer briefs the Audit Committee on the effectiveness of Aquestive’s cybersecurity program quarterly with a more in depth review done annually. The potential impact of risks from cybersecurity threats on the Company are assessed on an ongoing basis, and how such risks could materially affect the Company’s business strategy, operational results, and financial condition are regularly evaluated. During the reporting period, we have not identified any risks from cybersecurity threats or incidents, including as a result of previous cybersecurity incidents, that we believe have materially impacted, or are reasonably likely to materially affect, the Company, including our business strategy, operational results, and financial condition.

Company Information