Arcturus Therapeutics Holdings Inc. 10-K Cybersecurity GRC - 2025-03-06

Page last updated on March 6, 2025

Arcturus Therapeutics Holdings Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-03-06 16:39:12 EST.

Filings

10-K filed on 2025-03-06

Arcturus Therapeutics Holdings Inc. filed a 10-K at 2025-03-06 16:39:12 EST
Accession Number: 0000950170-25-034787

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cyber security Risk management and strategy We recognize the critical importance of developing, implementing, and maintaining robust cybersecurity measures to safeguard our information systems and protect the confidentiality, integrity, and availability of our data. Managing Material Risks & Integrated Overall Risk Management We have implemented tools and strategies to promote a company-wide culture of cybersecurity risk management. This ensures that cybersecurity considerations are an integral part of our decision-making process. Our IT Department works closely with our leadership and key operating personnel to evaluate and address cybersecurity risks in alignment with our business objectives and operational needs. Our information security function and our Vice President of Information Technology help identify, assess and manage the Company’s cybersecurity threats and risks. This group works to identify and assess risks from cybersecurity threats by monitoring and evaluating our threat environment and the Company’s risk profile using various methods in certain contexts, including, for example, manual tools, subscribing to reports and services that identify cybersecurity threats, analyzing reports of threat actors, conducting scans of certain environments, evaluating certain threats reported to us, conducting threat and vulnerability assessments, using external intelligence feeds, and using third parties to conduct tabletop incident response exercises and other tests. Depending on the environment, we implement and maintain various technical, physical, and organizational measures, processes, standards and policies designed to manage and mitigate material risks from cybersecurity threats to our information systems and data, including, for example: incident detection and response, disaster recovery/business continuity policies, encryption of certain data, network security controls and data segmentation for certain systems, access controls, physical security, asset management and tracking, systems monitoring, annual mandated employee training, penetration testing, cybersecurity insurance, and dedicated cybersecurity staff. Engage Third-parties on Risk Management Due to the complexity and evolving nature of cybersecurity threats, we engage with a range of external experts, including but not limited to cybersecurity assessors, consultants, and auditors to evaluate and test our risk management systems. These partnerships enable us to leverage specialized knowledge and insights, to help ensure our cybersecurity strategies and processes remain at the forefront of industry best practices. Our collaborations with these third-parties includes regular audits, threat assessments, 24-hour monitoring, and consultation on security enhancements. Oversee Third-party Risk Because we are aware of the risks associated with third-party service providers, we conduct thorough security assessments of all determined high-risk third-party providers as deemed necessary, before engagement to ensure compliance with industry cybersecurity standards and frameworks. This includes assessments performed by our Vice President of IT, who oversees the Company’s cybersecurity function. Risks from Cybersecurity Threats We have not encountered cybersecurity challenges that have materially affected or are reasonably likely to materially affect our operations or financial standing. Governance We have implemented standard operating procedures to define the channels by which cybersecurity threats are communicated to the Company’s Board of Directors (the “Board”). This ensures that The Board has oversight and effective governance in managing risks associated with cybersecurity threats. Board of Directors Oversight The Audit Committee of the Board (the “Audit Committee”) is central to the Board’s oversight of cybersecurity risks and bears the primary responsibility for this domain. The Audit Committee is composed of board 66 members with diverse expertise including, risk management, and finance, equipping them to oversee cybersecurity risks effectively. The Audit Committee receives briefings on cybersecurity risks from the Vice President of IT or the Chief Legal Officer as described below in “Management’s Role Managing Risk.” Management’s Role Managing Risk The Vice President of IT, Chief Legal Officer (“CLO”) and the Director of IT Infrastructure and Security, play a pivotal role in informing the Audit Committee on cybersecurity risks. They provide briefings to the Audit Committee on a regular basis, with a minimum frequency of once per year. The current Vice President of IT, who is responsible for assessment and management of cybersecurity risks, has over 20 years of experience in information and technology security, including senior roles at several companies in the pharmaceutical industry, and possesses the requisite education, skills, experience, and industry certifications expected of an individual assigned to these duties . These briefings encompass a broad range of topics, including: - Current cybersecurity landscape and emerging threats; - Status of ongoing cybersecurity initiatives and strategies; - Incident reports and learnings from any cybersecurity events; and - Compliance with regulatory requirements and industry standards. Risk Management Personnel Primary responsibility for assessing, monitoring and managing our cybersecurity risks rests with the Vice President of IT and the Director of IT Infrastructure and Security. Our IT Leadership team oversees our governance programs, tests our compliance with standards, remediates known risks, stays informed of significant developments in the cybersecurity domain, and leads our employee training program. Monitor Cybersecurity Incidents The Vice President of IT is continually informed about the latest developments in cybersecurity, including potential threats and innovative risk management techniques. This ongoing knowledge acquisition is crucial for the effective prevention, detection, mitigation, and remediation of cybersecurity incidents. In cooperation with the Vice President of IT, the Director of IT Infrastructure and Security implements and oversees processes for the regular monitoring of our information systems. This includes the deployment of advanced security measures and regular system audits to identify potential vulnerabilities. In the event of a cybersecurity incident, the Vice President of IT is equipped with a well-defined incident response plan. This plan includes immediate actions to mitigate the impact and long-term strategies for remediation and prevention of future incidents. Reporting to Board of Directors The Vice President of IT and the Director of IT Infrastructure and Security, in their respective capacity, inform the Chief Financial Officer (CFO) and Chief Legal Officer (CLO) of cybersecurity risks and incidents. Furthermore, significant cybersecurity matters, and strategic risk management decisions are required to be escalated to the Board, ensuring that they have comprehensive oversight and can provide guidance on critical cybersecurity issues. See Item 1A “Risk Factors” - “Risks Related to Business Operations and Industry.”

Company Information