Alto Neuroscience, Inc. 10-K Cybersecurity GRC - 2025-03-20

Page last updated on March 20, 2025

Alto Neuroscience, Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-03-20 16:36:28 EDT.

Filings

10-K filed on 2025-03-20

Alto Neuroscience, Inc. filed a 10-K at 2025-03-20 16:36:28 EDT
Accession Number: 0001999480-25-000025

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity. Risk Management and Strategy We have implemented and maintain various information security processes designed to identify, assess, and manage material risks from cybersecurity threats to our critical computer networks, third party hosted services, communications systems, hardware and software, and our critical data, including intellectual property, confidential information that is proprietary, strategic or competitive in nature, employee personal information, and clinical trial data, or Information Systems and Data. Our Senior Director, Information Technology, in conjunction with a third party service provider, under the direction of our Chief Financial Officer, or CFO, help management identify, assess and manage our cybersecurity threats and risks. With the assistance of our Senior Director, Information Technology and third-party service provider, we identify and assess risks from cybersecurity threats by monitoring and evaluating our threat environment and our risk profile using various methods including, for example, automated tools for ransomware and virus protection, identity verification tools aimed at ensuring authorized environment access, and ongoing vulnerability assessments. Depending on the environment and system, we implement and maintain various technical, physical, and organizational measures and processes designed to manage and mitigate material risks from cybersecurity threats to our Information Systems and Data, including, for example: data encryption for certain data, network security controls, data segregation for certain data, access controls, physical security controls, monitoring for certain systems, asset management and tracking, and employee training. We also maintain cybersecurity insurance. Our assessment and management of material risks from cybersecurity threats are taken into account in our overall risk management processes. For example, we evaluate certain identified material risks from cybersecurity threats against our overall business objectives and will report material risks, if identified, to the audit committee of the board of directors, which evaluates our overall enterprise risk. We use third-party service providers to assist management to identify, assess, and manage material risks from cybersecurity threats, including for example, a managed security provider and professional services firms, including outside legal counsel. We use third-party service providers to perform a variety of functions throughout our business, including, for example, application providers, hosting companies, contract research organizations, and contract manufacturing organizations. We have certain vendor management processes to help manage cybersecurity risks associated with our use of certain of these providers, and, depending on the nature of the services provided, the sensitivity of the Information Systems and Data at issue, and the identity of the provider, those processes may involve different levels of assessment and risk mitigation measures, including, for example, the imposition of contractual obligations related to cybersecurity on the provider. For a description of the risks from cybersecurity threats that may materially affect the Company and how they may do so, see the sections titled: “Risk Factors-Risks Related to our Business and Operations-If our telecommunications or information technology systems, or those used by our collaborators, CROs, CMOs, clinical sites, third-party logistics providers, distributors, or other contractors, consultants, or third party service providers upon which we rely, are or were compromised, become unavailable, or suffer security breaches, loss, or leakage of data or other disruptions, we could suffer adverse consequences resulting from such compromise, including but not limited to, operational or service interruption, harm to our reputation, litigation, fines, penalties and liability, compromise of sensitive information related our business, and other adverse consequences.” and “Risk Factors-Risks Related to Government Regulations-We and the third parties with whom we work are subject to stringent and evolving U.S. and foreign laws, regulations, and rules, contractual obligations, industry standards, policies and other obligations related to data privacy and security. Actual or perceived failures to comply with applicable data protection, privacy and security laws, regulations, standards, and other requirements could adversely affect our business, results of operations, and financial condition.” Governance Our board of directors addresses our cybersecurity risk management as part of its general oversight function. The audit committee of the board of directors is responsible for overseeing our cybersecurity risk management processes, including oversight and mitigation of risks from cybersecurity threats. Our cybersecurity risk assessment and management processes are implemented and maintained by certain members of Company management, including our CFO, leveraging the expertise of our Senior Director, Information Technology and third party service provider. Our CFO has three years of oversight responsibilities for cybersecurity elements and has been involved in the oversight of the implementation of the Company’s current cybersecurity measures. Our Senior Director, Information Technology has approximately 20 years of oversight responsibilities for cybersecurity elements and has been involved in the oversight of the implementation of the Company’s current cybersecurity measures. Currently, our CFO and Senior Director, Information Technology are collectively responsible for hiring appropriate personnel, managing external third-party providers, helping to integrate cybersecurity risk considerations into our overall risk management strategy, communicating key priorities to relevant personnel, approving budgets, helping prepare for cybersecurity incidents, approving cybersecurity processes, and reviewing security assessments and other security-related reports. Our cybersecurity incident response processes are designed to escalate certain cybersecurity incidents to members of management depending on the circumstances, including to our CFO. Senior Director, Information Technology, and General Counsel. As part of those processes, members of management, including our Senior Director, Information Technology and CFO, would work to help the Company mitigate and remediate cybersecurity incidents of which they are notified. In addition, our incident response processes are designed to report certain cybersecurity incidents to the audit committee of the board of directors. The audit committee receives periodic reports from management concerning our cybersecurity risks and the processes we have implemented to address them. The audit committee also has access to various reports, summaries or presentations related to cybersecurity threats, risk and mitigation.

Company Information