Upstream Bio, Inc. 10-K Cybersecurity GRC - 2025-03-12

Page last updated on March 12, 2025

Upstream Bio, Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-03-12 07:10:34 EDT.

Filings

10-K filed on 2025-03-12

Upstream Bio, Inc. filed a 10-K at 2025-03-12 07:10:34 EDT
Accession Number: 0000950170-25-037621

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cyb ersecurity. Cyber Risk Management and Strategy We have adopted processes for assessing, identifying, and managing cybersecurity risks, which are built into our information technology function and are designed to help protect our information assets and operations from internal and external cybersecurity threats, protect employee and clinical trial information from unauthorized access or attack, as well as secure our networks and systems. Such processes include physical, procedural, and technical safeguards, and periodic review of our procedures in an effort to identify risks and refine our practices. To support our internal resources, we leverage external tools and resources, including a managed service provider that provides ongoing support for the protection of our information technology infrastructure. We have an employee security awareness program, required upon onboarding and on an annual basis thereafter, that is designed to raise awareness of cybersecurity threats across functions. As part of this employee training program, we periodically conduct phishing tests. We have also implemented a process to assess and review the cybersecurity practices of certain third-party vendors and service providers that may be critical to the operations of our business and who have access to our information systems including, as appropriate, through the inclusion of cybersecurity requirements in our contracts. 103 We have not identified any cybersecurity incidents or threats that have materially affected us or are reasonably likely to materially affect us, including our business strategy, results of operations or financial condition; however, like other companies in our industry, we and our third-party vendors may, from time to time, experience threats and security incidents relating to our and our third-party vendors’ information systems. For more information, see " Risk Factors-Risks related to our dependence on third parties-Our information technology systems, or those used by our CROs or other contractors or consultants, may fail or suffer security breaches, which could adversely affect our business. " Governance Related to Cybersecurity Risks Our audit committee of the board of directors, or the Audit Committee, is responsible for overseeing cybersecurity risk , pursuant to the Audit Committee charter, and periodically updates our board of directors on such matters. The Audit Committee receives periodic updates from management regarding cybersecurity matters, and we have a process for the Audit Committee to be notified between such updates in the event of any significant new cybersecurity threats or incidents. Management is responsible for the operational oversight of company-wide cybersecurity strategy, policy, and standards across relevant departments to assess and help prepare us to address cybersecurity risks . Our Senior Manager of Information Technology reports to our Chief Financial and Operating Officer and oversees the day-to-day implementation and management of our cybersecurity program. Our Senior Manager of Information Technology has approximately 20 years of experience in information technology and regularly reports to executive management, the company’s disclosure committee, and the Audit Committee on cyber matters, as appropriate .

Company Information