X4 Pharmaceuticals, Inc 10-K Cybersecurity GRC - 2025-03-25

Page last updated on March 26, 2025

X4 Pharmaceuticals, Inc reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-03-25 18:16:46 EDT.

Filings

10-K filed on 2025-03-25

X4 Pharmaceuticals, Inc filed a 10-K at 2025-03-25 18:16:46 EDT
Accession Number: 0001628280-25-014805

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBERSECURITY Cybersecurity Risk Management and Strategy Our management recognizes the impact that cybersecurity threats could have on our business operations, our compliance with regulations, and our reputation. We have identified cybersecurity as a critical business risk as part of our overall risk management strategy, which our board of directors oversees. We have implemented a cybersecurity program in accordance with our risk profile and business that includes, among other things, written policies, monitoring and filtering procedures, and employee training. We have also developed an incident response policy and procedure designed to facilitate the timely reporting and assessment of cybersecurity incidents. 63 Our cybersecurity risk management program, which is part of our enterprise risk management program, aims to identify risks related to the Company, including risks from cybersecurity threats. Our cybersecurity risk management program includes a number of components, including informal self-assessments and audits, penetration testing, and vulnerability assessments, that are conducted periodically by both internal and external resources . The Company also analyzes current and emerging cyber threats that pose a risk to the organization using various threat intelligence tools and services. As part of our cybersecurity risk management program, we take a risk-based approach to the evaluation of third-party vendors , and apply mitigations and processes based on our evaluation of the sensitivity of the data accessed by the vendor and the maturity of the vendor’s programs. Our vendor evaluation procedures include, as appropriate, the review of vendors’ SOC 2 Type 2 reports and a vendor security questionnaire. Governance Related to Cybersecurity Risks Our Director of Infrastructure, Operations and Cybersecurity, who has over ten years of experience managing organizational operations, security and infrastructure, manages the Company’s cybersecurity program. We have a cyber subcommittee (the “Subcommittee”), which includes members of our finance, legal, and IT departments, that meets periodically to discuss the Company’s ongoing cybersecurity efforts. The Subcommittee reports to the Chief Operating Officer (“COO”) and Chief Financial Officer (“CFO”), who report outputs from the Subcommittee regarding potential cybersecurity risks to the Company’s executive team and the board . The Director of Infrastructure, Operations & Cybersecurity is responsible for the day-to-day monitoring and remediation of cybersecurity risks. The board is responsible for informed oversight of our risk management process. The board administers this oversight function through various board standing committees that address risks inherent in their respective areas of oversight. The board has delegated oversight for cybersecurity risk management to the Audit Committee. The Audit Committee reviews the Company’s policies and procedures with respect to cybersecurity risk management. Although risks from cybersecurity threats have to date not materially affected us, our business strategy, results of operations or financial condition, we have, from time to time, experienced threats to and breaches of our and our third-party vendors’ data and systems. For more information, see Item 1A. Risk Factors.

Company Information