Quince Therapeutics, Inc. 10-K Cybersecurity GRC - 2025-03-24

Page last updated on March 24, 2025

Quince Therapeutics, Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-03-24 16:07:24 EDT.

Filings

10-K filed on 2025-03-24

Quince Therapeutics, Inc. filed a 10-K at 2025-03-24 16:07:24 EDT
Accession Number: 0001662774-25-000012

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity. Our board of directors addresses our cybersecurity risk management as part of its general oversight function. The board of directors’ Audit Committee is responsible for overseeing Company’s our risk management processes, including oversight and mitigation of risks from cybersecurity threats. Management is responsible for the day-to-day administration of our risk management program and our cybersecurity policies, processes, and practices. Cybersecurity Risk Management and Strategy We have implemented and maintain various information security processes designed to identify, assess and manage material risks from cybersecurity threats to our critical computer networks, third party hosted services, communications systems, hardware and software, and our critical data (including intellectual property, confidential information that is proprietary, strategic or competitive in nature (collectively, “Information Systems and Data”). We have implemented a cross-functional approach to assessing, identifying and managing material cybersecurity threats and incidents. Our Information Systems Representative and Chief Operating Officer identify and assess risks from cybersecurity threats by monitoring and evaluating our threat environment. We use various methods designed to accomplish this task including, for example: manual and automated tools, subscriptions to reports and services that identify cybersecurity threats, analyzing reports of threats and threat actors, and evaluating threats reported to us. Depending on the relevant information systems environment, we implement and maintain various technical, physical, and organizational measures, processes, standards and policies designed to manage and mitigate material risks from cybersecurity threats to our Information Systems and Data, including, for example: incident detection and response strategies, systems monitoring, personnel training, cybersecurity insurance, data encryption strategies, network security controls, access controls, physical security controls, and asset management (such as tracking and disposal of Company information systems). Our assessment and management of material risks from cybersecurity threats are integrated into our overall risk management processes. For example, our IT Department works with management in an effort to prioritize our risk management processes and mitigate cybersecurity threats that are more likely to lead to a material impact to our business. We use service providers to assist us from time to time in an effort to identify, assess, and manage material risks from cybersecurity threats, including, for example, cybersecurity software providers and professional services firms (including legal counsel). We also use service providers to perform a variety of functions throughout our business, such as application providers, data hosting providers, and CROs. We have a vendor management strategy designed to manage cybersecurity risks associated with our use of these providers. Depending on the nature of the services provided, the sensitivity of the Information Systems and Data at issue, and the identity of the provider, our vendor management strategies may involve different levels of assessment designed to help identify cybersecurity risks associated with a provider and impose contractual obligations related to cybersecurity on the provider, such as reviewing their information security documentation and imposing contractual obligations on them with respect to their information security controls. 84 Table of Conten t For a description of the risks from cybersecurity threats that may materially affect the Company and how they may do so, see our risk factors under Part 1. Item 1A. Risk Factors in this Annual Report on Form 10-K, including If our internal information systems, those of third parties with whom we work, or our data are or were compromised, we could experience adverse consequences including, but not limited to, regulatory investigations or actions, litigation, fines/penalties, disruptions of our business operations, reputational harm, and loss of revenue or profits. Governance Our Audit Committee receives regular presentations and reports on developments in the cybersecurity space, including risk management practices, recent developments, evolving standards, threats, risks and mitigation. Our Audit Committee also receives information regarding certain cybersecurity risks that meets pre-established reporting thresholds, as well as ongoing updates regarding any such risk. Our Information Systems Representative, in coordination with senior management including our Chief Operating Officer works collaboratively across our company to implement a program designed to protect our information systems from cybersecurity threats and to promptly respond to any material cybersecurity incidents in accordance with our incident response and recovery plans. To facilitate the success of our cybersecurity program, cross-functional teams throughout our company address cybersecurity threats and respond to and escalate certain cybersecurity incidents. Through ongoing communications with these teams, the Information Systems Representative and senior management are informed about and monitor the prevention, detection, mitigation and remediation of cybersecurity threats and incidents and report such threats and incidents to the Audit Committee when appropriate. The Information Systems Representative has served in various roles in information technology and information security for over 26 years, including serving as the Director of Information Technology of another public company. Our Chief Operating Officer has over 7 years of experience managing information technology, including cybersecurity and risk management.

Company Information