Page last updated on March 5, 2025
Protara Therapeutics, Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-03-05 08:16:59 EST.
Filings
10-K filed on 2025-03-05
Protara Therapeutics, Inc. filed a 10-K at 2025-03-05 08:16:59 EST
Accession Number: 0001213900-25-020368
Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!
Item 1C. Cybersecurity.
Item 1C. Cybersecurity. Risk Management & Strategy We maintain a cyber risk management program designed to identify, assess, manage, mitigate and respond to cybersecurity threats. This program, in conjunction with our enterprise risk management assessment processes , address cybersecurity risks to the corporate information technology, or IT, environment including systems, hardware, software, data, people and processes. The underlying processes and controls of our cyber risk management program incorporate recognized best practices and standards for cybersecurity and IT, including the National Institute of Standards and Technology, or NIST, Cybersecurity Framework, or CSF, and processes and controls supporting data protection requirements under applicable law. The NIST CSF offers a thorough set of guidelines and best practices to help establish a strong cybersecurity posture. Utilizing NIST CSF enables us to systemically identify, assess, and manage cybersecurity risks most relevant and impactful to our business operations. It is important to note that using the NIST CSF as a guide does not imply our cybersecurity program meets any specific technical standards or requirements. Our cybersecurity risk management strategy includes the following approach: We have an annual assessment performed by a third-party specialist of the Company’s cyber risk management program against the NIST CSF. The annual risk assessment identifies, quantifies and categorizes significant cyber risks. In addition, we, in conjunction with the third-party cyber risk management specialists, developed a risk mitigation plan to address such cyber risks, and where necessary, remediate potential vulnerabilities identified through the annual assessment process. In addition, we maintain policies over areas such as protecting and handling confidential information, processing of personal data, access on/off boarding, user management, acceptable use, and IT change control management to help govern the processes put in place by management designed to protect our IT assets, data and services from threats and vulnerabilities. We employ additional key practices within the cyber risk management program including, but not limited to maintenance of an IT assets inventory, periodic network scans, identity access management controls including restricted access to privileged accounts, and physical security measures at our facilities. We also utilize information protection/detection systems, or IPS/IDS, including maintenance of firewalls and anti-malware tools, network and data traffic monitoring with automated alerting, ongoing cybersecurity user awareness training, industry-standard encryption protocols, formalized change management processes and critical data backups to reduce cybersecurity risk. 67 Cybersecurity partners, including assessors, consultants, advisors and other third-party service providers, are a key part of our cybersecurity risk management strategy and infrastructure. We partner with industry recognized cybersecurity providers leveraging third-party technology and expertise and engage with these partners to monitor and maintain the performance and effectiveness of IT assets, data and services. The cybersecurity partners provide services including, but not limited to systems inventory monitoring, configuration management, periodic network scanning, user management, mobile device monitoring, capacity monitoring, network protection and monitoring, IPS/IDS management, remote access monitoring and management, user activity monitoring, data backups management, infrastructure maintenance, incident response, cybersecurity strategy, and cyber risk advisory, assessment and remediation. We have implemented third-party risk management processes to manage the risks associated with reliance on vendors, critical service providers, and other third parties that may lead to a service disruption or an adverse cybersecurity incident. This includes processes for performing third-party risk ratings and data classification mapping of current and ongoing vendors. The program promotes good cybersecurity practices with our third-party vendors and helps to ensure their adherence to our cybersecurity standards. In evaluating the risks identified as a result of the annual cybersecurity assessment process, our cybersecurity partners assist the Company to assess the likelihood, severity, and impact of relevant risks, including the impact on employees, stakeholders, and vendors. These risks are prioritized and monitored by the cybersecurity partners and management of the Company. Our cybersecurity program includes an incident response plan that includes all relevant and critical members of management and third-party service providers alike. The team is responsible for assessing and managing cybersecurity incident response processes, response times, and communication plans in the event corrective actions and mitigation procedures are required to isolate and eradicate an incident. Governance & Oversight Our finance leadership team, led by our chief financial officer , in conjunction with third-party IT and cybersecurity service providers is responsible for oversight and administration of our cyber risk management program, and for informing senior management and other relevant stakeholders regarding the prevention, detection, mitigation and remediation of cybersecurity incidents. Our finance leadership team has experience selecting, deploying and overseeing cybersecurity technologies, initiatives, and processes directly or via selection of strategic third-party partners . We also rely on threat intelligence and other information obtained from governmental, public, or private sources, including external consultants engaged by us for strategic cyber risk management, advisory and decision making. The Audit Committee of the Board of Directors, or the Audit Committee , oversees our cybersecurity risk exposures and the steps taken by management to monitor and mitigate cybersecurity risks. The cybersecurity stakeholders, including member(s) of management assigned with cybersecurity oversight responsibility and/or third-party consultants providing cyber risk advisory services, brief the Audit Committee on cyber threats and vulnerabilities identified through the risk management process, the effectiveness of our cyber risk management program, the emerging threat landscape, and new cyber risks on at least an annual basis. This includes updates on our processes to prevent, detect and mitigate cybersecurity incidents. In addition, the Audit Committee is responsible for reporting information about such risks to the Board of Directors and material cybersecurity risks and/or events are reviewed by the Board of Directors, at least annually, as part of our corporate risk oversight processes. 68 We face risks from cybersecurity threats that could have a material adverse effect on our business, financial condition, results of operations, cash flows or reputation. We acknowledge that the risk of cyber incidents is prevalent in the current threat landscape and that a future cyber incident may occur in the normal course of our business. However, prior cybersecurity incidents have not been material and are not reasonably likely to have had a material adverse effect on our business, financial condition, results of operations, or cash flows. We proactively seek to detect and investigate unauthorized attempts and attacks against our IT assets, data, and services, and to prevent their occurrence and recurrence where practicable through changes or updates to internal policies, processes, and operations; however, potential vulnerabilities to known or unknown threats will still remain. Further, there is increasing regulation regarding responses to cybersecurity incidents, including reporting to regulators, investors and additional stakeholders, which could subject us to additional liability and reputational harm. In response to such risks, we have implemented initiatives such as our cybersecurity risk assessment process and development of an incident response plan. See Item 1A. “Risk Factors” for more information on Company cybersecurity risks.
Company Information
Name | Protara Therapeutics, Inc. |
CIK | 0001359931 |
SIC Description | Biological Products, (No Diagnostic Substances) |
Ticker | TARA - Nasdaq |
Website | |
Category | Non-accelerated filer Smaller reporting company |
Fiscal Year End | December 30 |