Zura Bio Ltd 10-K Cybersecurity GRC - 2025-03-25

Page last updated on March 25, 2025

Zura Bio Ltd reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-03-25 06:59:18 EDT.

Filings

10-K filed on 2025-03-25

Zura Bio Ltd filed a 10-K at 2025-03-25 06:59:18 EDT
Accession Number: 0001410578-25-000443

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBERSECURITY Risk management and strategy Our information technology (IT) department with the help of third-party service providers helps identify, assess and manage the Company’s cybersecurity threats and risks. Our IT department with the help of third-party service providers identifies and assesses the risks from cybersecurity threats by monitoring and evaluating our threat environment using various methods, including conducting scans of the threat environment, audits, and assessments. Our cybersecurity risk management processes have been designed to identify, assess, manage, mitigate, and respond to cybersecurity threats. This program will be integrated within the Company’s enterprise risk management system . Depending on the environment, systems, and data at issue, we implement and maintain various technical, physical, and organizational measures, processes, standards and policies designed to manage and mitigate material risks from cybersecurity threats to our information systems and data. For example, our cybersecurity risk management program is comprised of various components, such as: ● Implementing data backup, recovery and restoration procedures designed to ensure business continuity, as well as through certain IT controls, policies and infrastructure. ● Monitoring network traffic and endpoints with Endpoint Detection and Response (EDR) tools, implementing a Security Operations Center (SOC) to detect & respond to cybersecurity threats, and using encryption for certain data and Multi-Factor Authentication (MFA). ● Requiring periodic employee cybersecurity training to mitigate the risk of phishing and social engineering attacks. ● Conducting periodic risk assessment of protections to mitigate cybersecurity threats. We use third-party service providers to assist us from time to time to identify, assess, and manage material risks from cybersecurity threats, including for example, managed cybersecurity service providers, cybersecurity software providers, and dark web monitoring services. We use third-party service providers to perform a variety of functions throughout our business, such as contract research organizations and contract manufacturing organizations. We have a vendor management process to manage cybersecurity risks associate with our use of these providers. Depending on the nature of the services provided, the sensitivity of the information systems and data at issue, and the identity of the provider, our vendor management process may involve different levels of assessment designed to help identify cybersecurity risks associated with a provider. This process may include reviewing the vendor’s written security program and conducting security assessment calls with the vendor’s personnel. For a description of the risks from cybersecurity threats that may materially affect the Company and how they may do so, see our risk factors under Part 1. Item 1A. Risk Factors in this Annual Report on Form 10-K, including “Our internal computer systems, or those of any of the third parties with whom we work (including CROs, manufacturers, other contractors or consultants or potential future collaborators, may fail or suffer security or data privacy breaches or other unauthorized or improper access to, use of, or destruction of our proprietary or confidential data, employee data or personal data, which could result in additional costs, loss of revenue, significant liabilities, harm to our brand and material disruption of our operations.” Governance Our board of directors addresses the Company’s cybersecurity risk management as part of its general oversight function. The board of directors’ Audit Committee is responsible for overseeing Company’s cybersecurity risk management processes, including oversight and of mitigation of risks from cybersecurity threats . Our cybersecurity risk assessment and management processes are implemented and maintained by certain Company management, including our Vice President of IT who stays informed about and oversees prevention, detection, mitigation, and remediation efforts through regular communication and reporting channels within our organization. The Chief Legal Officer oversees the information security function and receives regular updates about information security. Our Vice President of IT is responsible for hiring appropriate personnel, helping to integrate cybersecurity risk considerations into the Company’s overall risk management strategy, and communicating key priorities to relevant personnel. Our Vice President of IT is also responsible for approving budgets, helping prepare for cybersecurity incidents, approving cybersecurity processes, and reviewing security assessments and other security-related reports. Our cybersecurity incident processes are designed to escalate certain cybersecurity incidents to members of management depending on the circumstances, including our Chief Legal Officer. Our Chief Legal Officer works with the Vice President of IT to help the Company mitigate and remediate cybersecurity incidents of which they are notified. In addition, the Company’s incident response processes includes reporting to the Audit Committee of the board of directors for certain cybersecurity incidents. The Chief Legal Officer and Audit Committee oversees the IT department and receives periodic updates concerning the Company’s significant cybersecurity threats and risk and the processes the Company has implemented to address them.

Company Information