Galecto, Inc. 10-K Cybersecurity GRC - 2025-03-19

Page last updated on March 19, 2025

Galecto, Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-03-19 16:00:27 EDT.

Filings

10-K filed on 2025-03-19

Galecto, Inc. filed a 10-K at 2025-03-19 16:00:27 EDT
Accession Number: 0000950170-25-041981

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity. We recognize the critical importance of maintaining the trust and confidence of universities, medical institutions, clinical investigators, CROs, strategic collaborators, business partners, employees, and others, and are committed to protecting the confidentiality, integrity and availability of our business operations and systems. Our board of directors is involved in oversight of our risk management activities, and cybersecurity represents an important element of our overall approach to risk management. Our cybersecurity policies, standards, processes and practices are informed, in part, by recognized frameworks established by applicable industry standards. In general, we seek to address cybersecurity risks through a comprehensive, cross-functional approach that is focused on preserving the confidentiality, security and availability of the information that we collect and store by identifying, preventing and mitigating cybersecurity threats and effectively responding to cybersecurity incidents when they occur. Cybersecurity Risk Management and Strategy We face risks related to cybersecurity such as unauthorized access to information or information technology systems, cybersecurity attacks, and other cybersecurity incidents. Our processes to identify, assess, and manage material cybersecurity risks are informed, in part, by industry cybersecurity standards, including components of the National Institute of Standards and Technology Cybersecurity Framework, ISO 27001 standard, and HIPAA security regulations. Our processes include assessments to identify key risk areas and inform our overall cybersecurity strategy and cybersecurity assessments in connection with our review of key information technology systems. Our processes also include technical security controls, such as network monitoring tools and multi-factor authentication, where appropriate. We conduct due diligence on third-party vendors and service providers that store or process sensitive company information. Our processes include a security review and implementation of procedures to receive and review security updates and alerts from such third parties. We have established an incident response process designed to identify, assess, and respond to cybersecurity incidents. This process includes established roles, responsibilities and procedures to guide incident response operations, and reporting procedures for notifying members of management and the audit committee, where appropriate. We also maintain back-ups and disaster recovery plans designed to restore information in the event of a cybersecurity incident. We have not experienced any cybersecurity incidents, and are not aware of any threats, that have materially affected us or are reasonably likely to materially affect us, during the last fiscal year. However, like other companies in our industry, we and our third-party vendors may from time to time experienced threats and security incidents that could affect our information or systems. We describe whether and how risks from identified cybersecurity threats, including as a result of any previous cybersecurity incidents, have materially affected or are reasonably likely to materially affect us, including our business strategy, results of operations, or financial condition, in “Item 1A, Risk Factors.” Governance Related to Cybersecurity Risks Our board of directors is involved in risk oversight as part of our overall business strategy and has delegated oversight of risk assessment and management to the audit committee. The audit committee administers its risk oversight function by receiving periodic reports from members of senior management. Our audit committee discusses cybersecurity threats and our risk management processes at least annually, receives updates on relevant cybersecurity developments, and considers steps that our management has taken to monitor and manage cybersecurity risk. The full board of directors also discusses with management, identified material cybersecurity risks, their potential impact on us, and the steps we take to manage them. Our audit committee and board of directors also receive prompt and timely information regarding any cybersecurity incident that meets establishing reporting thresholds, as well as ongoing updates regarding any such incident until it has been addressed. Our Information Technology Administrator, with support from third-party service providers, including our outsourced Data Protection Officer, implements and administers our information security program. Such individuals have collectively over 40 years of prior work experience in various roles involving managing information security, developing cybersecurity strategy, implementing effective information and cybersecurity programs. These individuals are informed about and monitor the prevention, mitigation, detection, and remediation of cybersecurity incidents through their management of, and participation in, the cybersecurity risk management and strategy processes described above, including the operation of our incident response processes. Additionally, our Information Technology Administrator, in conjunction with the Data Protection Officer, provides regular reports to our interim Chief Financial Officer and General Counsel on cybersecurity risks and the implementation of risk management 85 processes. Such management team members report information on such cybersecurity risks and incidents to our audit committee and board of directors as discussed above.

Company Information