Acurx Pharmaceuticals, Inc. 10-K Cybersecurity GRC - 2025-03-17

Page last updated on March 17, 2025

Acurx Pharmaceuticals, Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-03-17 16:05:27 EDT.

Filings

10-K filed on 2025-03-17

Acurx Pharmaceuticals, Inc. filed a 10-K at 2025-03-17 16:05:27 EDT
Accession Number: 0001558370-25-003117

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity We recognize the critical importance of maintaining the trust and confidence of customers, clients, patients, business partners and employees toward our business and are committed to protecting the confidentiality, integrity and availability of our business operations and systems. Our board of directors is actively involved in oversight of our risk management activities, and cybersecurity represents an important element of our overall approach to risk management. Our cybersecurity standards, processes and practices are based on recognized frameworks established by the National Institute of Standards and Technology (“NIST”), the International Organization for Standardization and other applicable industry standards. In general, we seek to address cybersecurity risks through a comprehensive, cross-functional approach that is focused on preserving the confidentiality, security and availability of the information that we collect and store by identifying, preventing and mitigating cybersecurity threats and effectively responding to cybersecurity incidents when they occur. Cybersecurity Risk Management and Strategy ; Effect of Risk We face risks related to cybersecurity such as unauthorized access, cybersecurity attacks and other security incidents, including as perpetrated by hackers and unintentional damage or disruption to hardware and software systems, loss of data, and misappropriation of confidential information. To identify and assess material risks from cybersecurity threats, we work with a third-party cyber specialist to ensure our systems are effective and prepared for information security risks, including regular oversight of our programs for security monitoring for internal and external threats to ensure the confidentiality and integrity of our information assets. We consider risks from cybersecurity threats alongside other company risks as part of our overall risk assessment process. As discussed in more detail under “Cybersecurity Governance” below, our audit committee provides oversight of our cybersecurity risk management and strategy processes, which are led by Chief Executive Officer. We also identify our cybersecurity threat risks by comparing our processes to standards set by the NIST, International Organization for Standardization, Center for Internet Security as well as by engaging experts to attempt to infiltrate our information systems. To provide for the availability of critical data and systems, maintain regulatory compliance, manage our material risks from cybersecurity threats, and protect against and respond to cybersecurity incidents, we undertake the following activities: - monitor emerging data protection laws and implement changes to our processes that are designed to comply with such laws; - through our policies, practices and contracts (as applicable), require employees, as well as third parties that provide services on our behalf, to treat confidential information and data with care; - employ technical safeguards that are designed to protect our information systems from cybersecurity threats, including firewalls, intrusion prevention and detection systems, anti-malware functionality and access controls, which are evaluated and improved through vulnerability assessments and cybersecurity threat intelligence; - provide regular, mandatory training for our employees and contractors regarding cybersecurity threats as a means to equip them with effective tools to address cybersecurity threats, and to communicate our evolving information security policies, standards, processes and practices; - conduct regular phishing email simulations for all employees and contractors with access to our email systems to enhance awareness and responsiveness to possible threats; - conduct annual cybersecurity management and incident training for employees involved in our systems and processes that handle sensitive data; and - leverage the NIST incident handling framework to help us identify, protect, detect, respond and recover when there is an actual or potential cybersecurity incident. Our incident response plan coordinates the activities we take to prepare for, detect, respond to and recover from cybersecurity incidents, which include processes to triage, assess severity for, escalate, contain, investigate and remediate the incident, as well as to comply with potentially applicable legal obligations and mitigate damage to our business and reputation. As part of the above processes, we regularly engage with a third-party cyber specialist to review our cybersecurity program to help identify areas for continued focus, improvement and compliance. Our processes also address cybersecurity threat risks associated with our use of third-party service providers, including our suppliers and manufacturers or who have access to patient and employee data or our systems. In addition, cybersecurity considerations affect the selection and oversight of our third-party service providers. We perform diligence on third parties that have access to our systems, data or facilities that house such systems or data, and continually monitor cybersecurity threat risks identified through such diligence. Additionally, we generally require those third parties that could introduce significant cybersecurity risk to us to agree by contract to manage their cybersecurity risks in specified ways, and to agree to be subject to cybersecurity audits. We describe whether and how risks from identified cybersecurity threats, including as a result of any previous cybersecurity incidents, have materially affected or are reasonably likely to materially affect us, including our business strategy, results of operations, or financial condition, under the heading “Cyber incidents or attacks directed at us could result in information theft, data corruption, operational disruption and/or financial loss,” which disclosures are incorporated by reference herein. In the last three fiscal years, we have not experienced any material cybersecurity incidents and the expenses we have incurred from cybersecurity incidents were immaterial. This includes penalties and settlements, of which there were none. Cybersecurity Governance; Management Cybersecurity is an important part of our risk management processes and an area of focus for our board of directors and management. The audit committee of our board of directors is responsible for the oversight of risks from cybersecurity threats. On an annual basis, our audit committee receives an update from management of our cybersecurity threat risk management and strategy processes covering topics such as data security posture, results from third-party assessments, progress towards pre-determined risk-mitigation-related goals, our incident response plan, and material cybersecurity threat risks or incidents and developments, as well as the steps management has taken to respond to such risks. In such sessions, our audit committee generally receives materials discussing current cyber risks and threats specific to our organization and industry, progress and status updates on projects aimed at fortifying our information security infrastructure, comprehensive evaluations of our ongoing information security program’s effectiveness, and analysis of the evolving cyber threat landscape and its potential implications for our operations. and discusses such matters with our Chief Executive Officer. Our audit committee also receives prompt and timely information regarding any cybersecurity incident that meets establishing reporting thresholds, as well as ongoing updates regarding any such incident until it has been addressed. Our cybersecurity risk management and strategy processes, which are discussed in greater detail above, are led by our Chief Executive Officer, with the assistance of a third-party cyber specialist. Our Chief Executive Officer and third-party cyber specialist have collectively over 25 years of prior work experience in various roles involving managing information security, developing cybersecurity strategy, implementing effective information and cybersecurity programs, and our third-party cyber specialist has several relevant degrees and certifications. Our Chief Executive Officer is informed about and monitors the prevention, mitigation, detection, and remediation of cybersecurity incidents through the management of, and participation in, the cybersecurity risk management and strategy processes described above, including the operation of our incident response plan. As discussed above, our Chief Executive Officer reports to the audit committee of our board of directors about cybersecurity threat risks, among other cybersecurity related matters, on an annual basis . Artificial intelligence presents risks and challenges that can impact our business including by posing security risks to our confidential information, proprietary information, and personal data. Issues in the development and use of artificial intelligence, combined with an uncertain and evolving regulatory environment, may result in reputational harm, liability, or other adverse consequences to our business operations. As with many technological innovations, artificial intelligence presents risks and challenges that could impact our business. Additionally, our vendors and suppliers may incorporate generative artificial intelligence tools into their offerings without disclosing this use to us, and the providers of these generative artificial intelligence tools may not meet existing or rapidly evolving regulatory or industry standards with respect to privacy and data protection, which may inhibit our or our vendors’ and suppliers’ ability to maintain an adequate level of service and experience. Additionally, we expect to see increasing government and supranational regulation related to artificial intelligence use and ethics, which may also significantly increase the burden and cost of research, development and compliance in this area. For example, the European Union’s Artificial Intelligence Act (the “EU AI Act”) is the world’s first comprehensive law regulating the development and use of artificial intelligence-entered into force on August 1, 2024 and, with some exceptions, will become fully effective from August 2, 2026. The EU AI Act regulates artificial intelligence systems based on risk level, has extraterritorial reach in certain circumstances, and imposes obligations on providers, manufacturers, importers, distributors, and deployers of artificial intelligence systems. The EU AI Act also prohibits certain uses of artificial intelligence. If we develop or use artificial intelligence systems that are governed by the EU AI Act, we may be required to ensure higher standards of data quality, transparency, and human oversight, and adhere to specific and potentially burdensome and costly ethical, accountability, and administrative requirements. If we, our vendors, our suppliers, or our third-party partners experience an actual or perceived breach of privacy or other cybersecurity incident because of the use of generative artificial intelligence, we may lose valuable intellectual property, personal information, and confidential information, and our reputation and the public perception of the effectiveness of our privacy and security measures could be harmed. These events could also result in obligations pursuant to, and subject us to liability under, applicable laws and contracts that we have entered into. Further, bad actors around the world use increasingly sophisticated methods, including the use of artificial intelligence, to engage in illegal activities involving the theft and misuse of personal information, confidential information, and intellectual property. Any of these outcomes could damage our reputation, result in the loss of valuable property and information, and adversely impact our business.

Company Information