Mind Medicine (MindMed) Inc. 10-K Cybersecurity GRC - 2025-03-06

Page last updated on March 6, 2025

Mind Medicine (MindMed) Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-03-06 07:40:25 EST.

Filings

10-K filed on 2025-03-06

Mind Medicine (MindMed) Inc. filed a 10-K at 2025-03-06 07:40:25 EST
Accession Number: 0000950170-25-034176

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity In the ordinary course of our business, we may collect, store, use, transmit, disclose, or otherwise process proprietary, confidential, and sensitive information, including personal information (such as health-related information), data related to clinical trials, intellectual property, and trade secrets. We depend on both our own systems, networks, and technology as well as the systems, networks and technology of our collaborative partners, third-party service providers and other business partners to safeguard our data. Cybersecurity Program Given the importance of cybersecurity to our business, we maintain a robust cybersecurity program to support both the effectiveness of our systems and our preparedness for information security risks. We also maintain cybersecurity insurance providing coverage for certain costs related to cybersecurity-related incidents that impact our own systems, networks, and technology or the systems, networks and technology of our contractors, consultants, vendors and other business partners. However, we cannot be sure that our insurance coverage will be adequate or sufficient to protect us from or to mitigate liabilities arising out of our privacy and security practices, that such coverage will continue to be available on commercially reasonable terms or at all, or that such coverage will pay future claims. Process for Assessing, Identifying and Managing Material Risks from Cybersecurity Threats We have implemented a risk-based approach to identify and assess the cybersecurity threats that could affect our business and information systems. We use various tools and methodologies to manage cybersecurity risk that are tested on a regular cadence. In the event of a cybersecurity incident, we maintain a regularly tested incident response program. Pursuant to the program and its escalation protocols, designated personnel are responsible for assessing the severity of an incident and associated threat, containing the threat, remediating the threat, including recovery of data and access to systems, analyzing reporting obligations associated with the cybersecurity incident, and performing post-incident analysis and program enhancements. We also monitor and evaluate our cybersecurity posture and performance on an ongoing basis through regular vulnerability scans, penetration tests and threat intelligence feeds. Our information security program is tactically and strategically supplemented via partnerships and engagements with key consultants, vendors, and service providers. We also actively engage with key vendors as part of our continuing efforts to evaluate and enhance the effectiveness of our information security policies and procedures. We use a number of means to assess cyber risks related to our third-party service providers , including vendor questionnaires, vendor audits, vendor qualification, and conducting due diligence in connection with onboarding new vendors and regular vendor reviews. We require third-party service providers with access to sensitive, confidential or proprietary information to implement and maintain robust cybersecurity practices consistent with applicable legal standards and leading industry practices. Governance Management Oversight Our information security program is managed by designated information technology personnel and members of our management team, who are responsible for leading enterprise-wide cybersecurity strategy, policy, standards, architecture, and processes. The controls and processes employed to assess, identify and manage material risks from cybersecurity threats are implemented and overseen by our Information Technology team, consisting of a Vice President of Information Technology, Director of Information Technology and external consultants. Our Information Technology team leverages over 20 years of experience in pharmaceutical and biotechnology information technology, security, and management. Our Information Technology team is responsible for the day-to-day management of the cybersecurity program, including the prevention, detection, investigation, response to, and recovery from cybersecurity threats and incidents, and are regularly engaged to help ensure the cybersecurity program functions effectively in the face of evolving cybersecurity threats. Our Information Technology team provides periodic reports to our senior management as appropriate and informs senior management on an ad hoc basis of significant cybersecurity incidents. Board Oversight Our Board has delegated overall responsibility for risk oversight, including cybersecurity risk matters , to our Audit Committee. Our senior management provides periodic reports to our Audit Committee and our Board. These reports include updates on our cyber risks and threats, the status of projects to strengthen our information security systems, assessments of the information security program, and 91 the emerging threat landscape. In addition, our information security program is regularly evaluated by external experts with the results of those reviews reported to senior management and our Board. The Audit Committee is also promptly apprised of more significant cybersecurity incidents and in the aggregate for less significant incidents. Cybersecurity Risks While we maintain a robust cybersecurity program, the techniques used to infiltrate information technology systems continue to evolve. Accordingly, we may not be able to timely detect threats or anticipate and implement adequate security measures. For additional information, see “Item 1A-Risk Factors-If our information technology systems or data, or those of third parties upon which we rely, are of were compromised, we could experience adverse consequences resulting from such compromise, including regulatory investigations or actions; litigation; fines and penalties; disruptions of our business operations; reputational harm; loss of revenue or profits; and other adverse consequences.” As of December 31, 2024, we have not experienced any risks from cybersecurity threats, including as a result of any previous cybersecurity incidents or threats, that have materially affected our business strategy, results of operations or financial condition in the last year or are reasonably likely to have such a material effect.

Company Information