Journey Medical Corp 10-K Cybersecurity GRC - 2025-03-26

Page last updated on March 27, 2025

Journey Medical Corp reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-03-26 21:47:07 EDT.

Filings

10-K filed on 2025-03-26

Journey Medical Corp filed a 10-K at 2025-03-26 21:47:07 EDT
Accession Number: 0001410578-25-000490

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity Cybersecurity Risk Management and Strategy We recognize the importance of assessing, identifying, and managing material risks associated with cybersecurity threats, as such term is defined in Item 106(a) of Regulation S-K. These risks include, among other things: operational risks, intellectual property theft, fraud, extortion, harm to employees or customers and violation of data privacy or security laws as well as overall business continuation risk. Identifying and assessing cybersecurity risk is integrated into our overall risk management systems and processes. Cybersecurity risks related to our business, operations, privacy and compliance issues are identified and addressed through a multi-faceted approach. To defend, detect and respond to cybersecurity incidents, we, among other things: conduct proactive privacy and cybersecurity reviews of systems and applications, conduct employee training, monitor emerging laws and regulations related to data protection and information security and implement appropriate changes. We also engage third-party cybersecurity consultants to help us oversee cybersecurity threats both internally and in relation to our third-party service providers, including in connection with the foregoing activities. Our third-party cybersecurity consultants work to mitigate cybersecurity risks by executing all-inclusive security procedures, including but not limited to continuous employee education and training, assessing risks, monitoring systems, implementing security controls, and responding to incidents. This is done in a variety of manners including assessing the strength of outside vendors, suppliers and business partners that may have access to the Company’s data and systems, setting up strong access controls in the form of firewalls and encryption, continuous monitoring of data for suspicious activity and other threats, security audits and extensive training. We have implemented a cybersecurity risk management program that leverages the National Institute of Standards and Technology (“NIST”) framework, which organizes cybersecurity risks into five categories: identify, protect, detect, respond and recover. We regularly assess the threat landscape and take a holistic view of cybersecurity risks, with a layered cybersecurity strategy based on prevention, detection and mitigation. Security events and data incidents are evaluated, ranked by severity and prioritized for response and remediation. Our cybersecurity team collaborates with stakeholders across our business units to further analyze the risk to the company, and form detection, mitigation and remediation strategies. Our risk management program also assesses third-party cybersecurity risks and we perform third-party risk management to identify and mitigate risks from third parties such as vendors, suppliers, and other business partners associated with our use of third-party service providers . We describe whether and how risks from identified cybersecurity threats, including as a result of any previous cybersecurity incidents, have materially affected or are reasonably likely to materially affect us, including our business strategy, results of operations, or financial condition , under the heading " Our business and operations would suffer in the event of computer system failures, cyber-attacks, or deficiencies in our or third parties’ cybersecurity " in our risk factor disclosures in Item 1A of this Annual Report on Form 10-K. Cybersecurity Governance Cybersecurity is an important part of our risk management processes and an area of focus for our management. Our Chief Financial Officer (“CFO”) oversees the leaders from our information security, compliance and legal teams who are responsible for our cybersecurity risk management and strategy processes. Our CFO, together with these individuals, also oversee the work of our third-party consultants. These individuals have significant prior business experience in compliance and risk management. Specifically, our CFO has more than 25 years of experience in all aspects of corporate controllership including managing operating and organizational risk developing, executing and maintaining robust internal control environments, including cybersecurity risk and cash controls as part of several pharmaceutical company operations. Our CFO, as well as our management team, are informed about, and monitor the prevention, mitigation, detection and remediation of cybersecurity incidents through their management of, and participation in, the cybersecurity risk management and strategy processes described above, including the operation of our incident response plan, and report to our audit committee and overall board of directors on any appropriate items. Our executive management is responsible for the oversight of risks from cybersecurity threats. Members of our board of directors receive periodic updates from our executive management team regarding matters of cybersecurity. This includes existing and new cybersecurity risks, status on how management is addressing and/or mitigating those risks, cybersecurity and data privacy incidents (if any) and status on key information security initiatives. Any urgent cybersecurity threats are immediately flagged and reported to the board of directors .

Company Information