Page last updated on March 20, 2025
ABEONA THERAPEUTICS INC. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-03-20 07:30:47 EDT.
Filings
10-K filed on 2025-03-20
ABEONA THERAPEUTICS INC. filed a 10-K at 2025-03-20 07:30:47 EDT
Accession Number: 0001493152-25-010978
Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!
Item 1C. Cybersecurity.
Item 1C of this report, “Cybersecurity”. 54 ITEM 1B. UNRESOLVED STAFF COMMENTS Not Applicable. ITEM 1C, Cybersecurity Cybersecurity Management and Strategy In the ordinary course of our business, we collect, use, store, and transmit confidential, financial, sensitive, proprietary, personal, and health-related information. The secure maintenance of this information and our information technology systems is important to our operations and business strategy. To this end, we consider cybersecurity, along with other significant risks that we face, within our overall enterprise risk management framework, and have implemented processes designed to assess, identify, and manage risks from potential unauthorized occurrences on or through our information technology systems that may result in adverse effects on the confidentiality, integrity, and availability of these systems and the data residing therein. These processes are managed and monitored by a dedicated Director of Information Technology and an Information Technology Security and Risk Manager. We have developed a cybersecurity program following the National Institute of Standards and Technology (“NIST”) cybersecurity framework that include mechanisms, controls, technologies, and systems designed to prevent or mitigate data loss, theft, misuse, or other security incidents or vulnerabilities affecting the data and maintain a stable information technology environment. For example, we conduct penetration and vulnerability testing, and data recovery testing on a periodic basis. In addition, we consult with outside advisors and experts, when appropriate, to assist with assessing, identifying, and managing cybersecurity risks, including to anticipate future threats and trends, and their impact on the Company’s risk environment. Third-Party Risk Management We have processes to evaluate third-party service providers and vendors that have access to sensitive systems and company data, which may include due diligence procedures such as assessments of that service provider’s cybersecurity posture or a recommendation of specific mitigation controls. Following an assessment, we determine and prioritize service provider risk based on potential threat impact and likelihood, and such risk determinations drive the level of due diligence and ongoing compliance monitoring required for each service provider. Education and Awareness We also provide cybersecurity training to our employees and are formalizing an ongoing information security training program for active employees and relevant consultants to address matters such as phishing, email security, social engineering and training on data privacy. Governance Our Director of Information Technology, who reports to our CFO, and the Information Technology Security and Risk Manager are responsible for assessing and managing cybersecurity risks. Our Director of Information Technology has over 25 years of experience managing information technology and cybersecurity. He has a bachelor’s degree in electrical engineering from Wright State University as well as a master’s degree in business administration from Ashland University. He has certifications from various information technology vendors as well as experience in implementing security frameworks such as International Organization for Standardization (“ISO”) 27001 and NIST. Our Information Technology Security and Risk Manager has a PhD in a scientific field and various information security certifications such as Certified Ethical Hacker (“CEH”) and Holistic Information Security Practitioner (“HISP”). She also has decades of experience in managing information technology environments and information security such as security architecture, security operations and governance risk and compliance. We report on our information security program, including the results of periodic testing, to the Audit Committee of the Board of Directors on a quarterly basis. Our Board’s Audit Committee is responsible for overseeing our cybersecurity and information security procedures. The Audit Committee reviews management presentations concerning cybersecurity-related issues, including information security, technology risks, policies, and risk mitigation programs. The Audit Committee reports matters to the Board of Directors as needed. Our CFO, with the support of our Director of Information Technology, Information Technology Security and Risk Manager and third-party consultants, assesses and manages cybersecurity risk, including preventing, mitigating, detecting, and addressing cybersecurity incidents, if any. Our CFO also works closely with other management positions and external legal counsel to ensure that we understand our cybersecurity risk management responsibilities. In case of a cybersecurity incident or breach, our incident response plan defines in detail reporting and escalation processes to management and the Board of Directors. 55 Current Cybersecurity Risk Posture We have not identified any cybersecurity incidents or threats that have materially affected us or are reasonably likely to materially affect us. However, like other companies in our industry, we and our third-party vendors have from time-to-time experienced threats to and security incidents relating to information systems. Additional information on cybersecurity risks we face is discussed in Part I, Item 1A, “Risk Factors,” under the heading “Risks related to cybersecurity.”
ITEM 1C, Cybersecurity Cybersecurity Management and Strategy In the ordinary course of our business, we collect, use, store, and transmit confidential, financial, sensitive, proprietary, personal, and health-related information. The secure maintenance of this information and our information technology systems is important to our operations and business strategy. To this end, we consider cybersecurity, along with other significant risks that we face, within our overall enterprise risk management framework, and have implemented processes designed to assess, identify, and manage risks from potential unauthorized occurrences on or through our information technology systems that may result in adverse effects on the confidentiality, integrity, and availability of these systems and the data residing therein. These processes are managed and monitored by a dedicated Director of Information Technology and an Information Technology Security and Risk Manager. We have developed a cybersecurity program following the National Institute of Standards and Technology (“NIST”) cybersecurity framework that include mechanisms, controls, technologies, and systems designed to prevent or mitigate data loss, theft, misuse, or other security incidents or vulnerabilities affecting the data and maintain a stable information technology environment. For example, we conduct penetration and vulnerability testing, and data recovery testing on a periodic basis. In addition, we consult with outside advisors and experts, when appropriate, to assist with assessing, identifying, and managing cybersecurity risks, including to anticipate future threats and trends, and their impact on the Company’s risk environment. Third-Party Risk Management We have processes to evaluate third-party service providers and vendors that have access to sensitive systems and company data, which may include due diligence procedures such as assessments of that service provider’s cybersecurity posture or a recommendation of specific mitigation controls. Following an assessment, we determine and prioritize service provider risk based on potential threat impact and likelihood, and such risk determinations drive the level of due diligence and ongoing compliance monitoring required for each service provider. Education and Awareness We also provide cybersecurity training to our employees and are formalizing an ongoing information security training program for active employees and relevant consultants to address matters such as phishing, email security, social engineering and training on data privacy. Governance Our Director of Information Technology, who reports to our CFO, and the Information Technology Security and Risk Manager are responsible for assessing and managing cybersecurity risks. Our Director of Information Technology has over 25 years of experience managing information technology and cybersecurity. He has a bachelor’s degree in electrical engineering from Wright State University as well as a master’s degree in business administration from Ashland University. He has certifications from various information technology vendors as well as experience in implementing security frameworks such as International Organization for Standardization (“ISO”) 27001 and NIST. Our Information Technology Security and Risk Manager has a PhD in a scientific field and various information security certifications such as Certified Ethical Hacker (“CEH”) and Holistic Information Security Practitioner (“HISP”). She also has decades of experience in managing information technology environments and information security such as security architecture, security operations and governance risk and compliance. We report on our information security program, including the results of periodic testing, to the Audit Committee of the Board of Directors on a quarterly basis. Our Board’s Audit Committee is responsible for overseeing our cybersecurity and information security procedures. The Audit Committee reviews management presentations concerning cybersecurity-related issues, including information security, technology risks, policies, and risk mitigation programs. The Audit Committee reports matters to the Board of Directors as needed. Our CFO, with the support of our Director of Information Technology, Information Technology Security and Risk Manager and third-party consultants, assesses and manages cybersecurity risk, including preventing, mitigating, detecting, and addressing cybersecurity incidents, if any. Our CFO also works closely with other management positions and external legal counsel to ensure that we understand our cybersecurity risk management responsibilities. In case of a cybersecurity incident or breach, our incident response plan defines in detail reporting and escalation processes to management and the Board of Directors. 55 Current Cybersecurity Risk Posture We have not identified any cybersecurity incidents or threats that have materially affected us or are reasonably likely to materially affect us. However, like other companies in our industry, we and our third-party vendors have from time-to-time experienced threats to and security incidents relating to information systems. Additional information on cybersecurity risks we face is discussed in Part I, Item 1A, “Risk Factors,” under the heading “Risks related to cybersecurity.”
Company Information
| Name | ABEONA THERAPEUTICS INC. |
| CIK | 0000318306 |
| SIC Description | Pharmaceutical Preparations |
| Ticker | ABEO - Nasdaq |
| Website | |
| Category | Non-accelerated filer Smaller reporting company |
| Fiscal Year End | December 30 |