Armata Pharmaceuticals, Inc. 10-K Cybersecurity GRC - 2025-03-20

Page last updated on March 21, 2025

Armata Pharmaceuticals, Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-03-20 20:32:34 EDT.

Filings

10-K filed on 2025-03-20

Armata Pharmaceuticals, Inc. filed a 10-K at 2025-03-20 20:32:34 EDT
Accession Number: 0001558370-25-003406

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C), such attacks are increasing in frequency and sophistication, and the possibility of a future data compromise, and risks associated with intrusion, tampering, and theft, cannot be eliminated entirely. We have experienced cyber-attacks in various forms, including phishing and other attempts to compromise our systems, but none of these has resulted in a material incident. A failure of our systems, or an inability to successfully expand the capacity of these systems, or an inability to successfully integrate new technologies into our existing systems could have a material adverse effect on our business, results of operations, financial condition, and cash flows. Further, our cybersecurity controls may not function as intended or our logging may be insufficient to fully investigate an incident. A system failure, accident or security breach may also result in a material disruption of our independent drug development programs. For example, the loss of clinical trial data from ongoing or future clinical trials for any of our product candidates could result in delays in regulatory approval efforts and significantly increase costs to recover or reproduce the data. Our information security systems are also subject to laws and regulations requiring that we take measures to protect the privacy and security of certain information we gather and use in our business. For example, federal and state laws, including, without limitation, state security breach notification laws, state health information privacy laws and federal and state consumer protection laws, govern the collection, use, disclosure and storage of personal information. To the extent that any disruption or security breach were to result in a loss of or damage to data or applications, or inappropriate disclosure of confidential or proprietary information or personal health information, we could incur substantial liability, our reputation would be damaged and the further development of our product candidates could be delayed. The Company’s and its vendors’ sophisticated information technology operations are spread across multiple, sometimes inconsistent, platforms, which pose difficulties in maintaining data integrity across systems. The ever- increasing use and evolution of technology, including cloud-based computing, creates opportunities for the unintentional or improper dissemination or destruction of confidential information stored in the Company’s systems. A compromise of the security or integrity of any of these systems could adversely affect our security posture. Any breach of our security measures or the accidental loss, inadvertent disclosure, unapproved dissemination, misappropriation or misuse of trade secrets, proprietary information or other confidential information, whether as a result of theft, hacking, fraud, trickery or other forms of deception, or for any other cause, could adversely affect our business position. Further, any such interruption, security breach, loss or disclosure of confidential information could result in financial, legal, business and reputational harm to the Company and could have a material adverse effect on our business, financial condition, results of operations, cash flows and stock price. Item 1B. UNRESOLVED STAFF COMMENTS None. Item 1C. Cybersecurity Cybersecurity Risk Management and Strategy We recognize the importance of assessing, identifying, and managing material risks associated with cybersecurity threats, as such term is defined in Item 106(a) of Regulation S-K. These risks include operational risks, intellectual property or trade secret theft, improper disclosure of confidential information, fraud, extortion, harm to employees or customers, and violation of data privacy or security laws. Cybersecurity risks related to our business, technical operations, privacy, and compliance issues are identified and addressed through a multi-faceted approach including third-party assessments , internal information technology (“IT”) audits, and IT security reviews. To defend, detect, and respond to cybersecurity incidents, we perform cybersecurity reviews of systems and applications; audits of applicable data policies; vulnerability assessments and penetration testing using external third-party tools to test security control; security incident and event management; continuous monitoring, and threat intelligence gathering; conduct employee training; and implement appropriate changes. Security events and data incidents are evaluated, ranked by severity, and prioritized for response and remediation. Incidents are evaluated to determine materiality as well as operational and business impact, and reviewed for privacy impact. We leverage third-party expertise to audit and test our cybersecurity program and perform employee awareness training. These include periodic reviews of cybersecurity threats and related controls, including review of periodic penetration testing conducted by independent third parties. We maintain a cyber liability insurance plan underwritten by multiple insurance companies, which provides protection against certain potential losses arising from cybersecurity incidents. Our business strategy, results of operations and financial condition have not been materially affected by risks from cybersecurity threats , including as a result of previously identified cybersecurity incidents, but we cannot provide assurance that they will not be materially affected in the future by such risks or any future material incidents. For more information on our cybersecurity related risks, see Item 1A Risk Factors of this Annual Report on Form 10-K. Cybersecurity Governance Cybersecurity is an important part of our risk management processes and an area of focus for our Board of Directors (“Board of Directors”) and management. Our Board of Directors delegated oversight of Cybersecurity to the Audit Committee . Members of our Board of Directors receive reports and presentations on data privacy and security, which address relevant cybersecurity issues, and which can span a wide range of topics, including but not limited to, recent developments, evolving standards, vulnerability assessments, review of risks from third parties such as service providers and suppliers, and the current threat environment. These updates are presented by IT third-party experts, finance, and legal departments. Members of our Board of Directors also engage in ad hoc conversations with management on cybersecurity-related news events and updates to our cybersecurity risk management and strategy programs. The Audit Committee’s cybersecurity-related oversight includes the following: ● Receiving notice of, and providing guidance with respect to, material cybersecurity incidents; ● Reviewing our risks and cybersecurity programs and policies; ● Overseeing our management and mitigation of cybersecurity risks and potential breach incidents; ● Reviewing reports and key metrics on the Company’s cybersecurity and related risk management programs; ● Reviewing the progress of major technology-related proposals, plans, projects and architecture decisions to ensure that these projects and decisions support our overall business strategy. Our management engages with third-party experts who have significant IT expertise and broad cybersecurity experience, including in cybersecurity threat management, cybersecurity training and education, incident response, cyber forensics, insider threats, business continuity and disaster recovery, and regulatory compliance. Such individuals have significant prior work experience in various roles involving IT security, auditing, compliance, systems, and programming. These individuals are informed about and monitor the prevention, mitigation, detection, and remediation of cybersecurity incidents and design.
Item 1C. Cybersecurity Cybersecurity Risk Management and Strategy We recognize the importance of assessing, identifying, and managing material risks associated with cybersecurity threats, as such term is defined in Item 106(a) of Regulation S-K. These risks include operational risks, intellectual property or trade secret theft, improper disclosure of confidential information, fraud, extortion, harm to employees or customers, and violation of data privacy or security laws. Cybersecurity risks related to our business, technical operations, privacy, and compliance issues are identified and addressed through a multi-faceted approach including third-party assessments , internal information technology (“IT”) audits, and IT security reviews. To defend, detect, and respond to cybersecurity incidents, we perform cybersecurity reviews of systems and applications; audits of applicable data policies; vulnerability assessments and penetration testing using external third-party tools to test security control; security incident and event management; continuous monitoring, and threat intelligence gathering; conduct employee training; and implement appropriate changes. Security events and data incidents are evaluated, ranked by severity, and prioritized for response and remediation. Incidents are evaluated to determine materiality as well as operational and business impact, and reviewed for privacy impact. We leverage third-party expertise to audit and test our cybersecurity program and perform employee awareness training. These include periodic reviews of cybersecurity threats and related controls, including review of periodic penetration testing conducted by independent third parties. We maintain a cyber liability insurance plan underwritten by multiple insurance companies, which provides protection against certain potential losses arising from cybersecurity incidents. Our business strategy, results of operations and financial condition have not been materially affected by risks from cybersecurity threats , including as a result of previously identified cybersecurity incidents, but we cannot provide assurance that they will not be materially affected in the future by such risks or any future material incidents. For more information on our cybersecurity related risks, see Item 1A Risk Factors of this Annual Report on Form 10-K. Cybersecurity Governance Cybersecurity is an important part of our risk management processes and an area of focus for our Board of Directors (“Board of Directors”) and management. Our Board of Directors delegated oversight of Cybersecurity to the Audit Committee . Members of our Board of Directors receive reports and presentations on data privacy and security, which address relevant cybersecurity issues, and which can span a wide range of topics, including but not limited to, recent developments, evolving standards, vulnerability assessments, review of risks from third parties such as service providers and suppliers, and the current threat environment. These updates are presented by IT third-party experts, finance, and legal departments. Members of our Board of Directors also engage in ad hoc conversations with management on cybersecurity-related news events and updates to our cybersecurity risk management and strategy programs. The Audit Committee’s cybersecurity-related oversight includes the following: ● Receiving notice of, and providing guidance with respect to, material cybersecurity incidents; ● Reviewing our risks and cybersecurity programs and policies; ● Overseeing our management and mitigation of cybersecurity risks and potential breach incidents; ● Reviewing reports and key metrics on the Company’s cybersecurity and related risk management programs; ● Reviewing the progress of major technology-related proposals, plans, projects and architecture decisions to ensure that these projects and decisions support our overall business strategy. Our management engages with third-party experts who have significant IT expertise and broad cybersecurity experience, including in cybersecurity threat management, cybersecurity training and education, incident response, cyber forensics, insider threats, business continuity and disaster recovery, and regulatory compliance. Such individuals have significant prior work experience in various roles involving IT security, auditing, compliance, systems, and programming. These individuals are informed about and monitor the prevention, mitigation, detection, and remediation of cybersecurity incidents and design.

Company Information