Spero Therapeutics, Inc. 10-K Cybersecurity GRC - 2025-03-27

Page last updated on March 27, 2025

Spero Therapeutics, Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-03-27 16:30:13 EDT.

Filings

10-K filed on 2025-03-27

Spero Therapeutics, Inc. filed a 10-K at 2025-03-27 16:30:13 EDT
Accession Number: 0000950170-25-046125

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity. Cybersecurity Strategy We have established and currently maintain processes designed to assess, identify and manage risks from cybersecurity threats to, among other things, our critical computer networks, third party hosted services, communications systems, and our critical and sensitive data. These cybersecurity processes are designed to secure our networks and information systems and protect our operations and information assets from unauthorized access or attack. Such cybersecurity processes include technical, procedural and organizations safeguards that are built into our overall information technology (“IT”) function. Our Board of Directors is actively involved in oversight of our risk management activities, and cybersecurity represents an important element of our overall approach to risk management. As discussed in more detail under “Cybersecurity Governance” below, the audit committee of our Board of Directors provides oversight of our cybersecurity risk management and strategy processes, led by our Head of IT. Our approach to cybersecurity is tailored to suit the specific environment in which we operate and is based on recognized frameworks established by applicable industry standards. In general, we seek to address cybersecurity risks through a comprehensive, cross-functional approach that is focused on preserving the confidentiality, security and availability of the information that we collect and store by identifying, preventing and mitigating cybersecurity threats and effectively responding to cybersecurity incidents when they occur. Our approach includes a comprehensive strategy featuring a risk management team lead by our Head of IT and a regularly tested incident response plan. We also identify our cybersecurity threat risks by comparing our processes to industry standards, as well as by engaging third party experts to conduct risk assessments, tabletop exercises, threat modeling, and vulnerability testing. Our incident response plan coordinates the activities we take to prepare for, detect, respond to and recover from cybersecurity incidents, which include processes to triage, assess severity for, escalate, contain, investigate and remediate the incident, as well as to comply with potentially applicable legal obligations and mitigate damage to our business and reputation. Our incident response plan requires that suspected cybersecurity incidents are promptly reported to our Controller and Chief Human Resource Officer and includes an escalation path to our Chief Executive Officer, executive leadership team, and Board of Directors. In the last three fiscal years, we have not experienced any material cybersecurity incidents and are not aware of any cybersecurity incidents at third parties with whom we conduct business that may have impacted us. Cybersecurity Management Cybersecurity is an important part of our risk management processes and an area of focus for our Board of Directors and management. In general, our Board of Directors oversees risk management activities designed and implemented by our management. Our Board of Directors executes its oversight responsibility for risk management both directly and through delegating oversight of certain of these risks to its committees, and our Board of Directors has authorized our audit committee to oversee risks from cybersecurity threats. Our audit committee receives periodic updates from management on our cybersecurity processes. The audit committee receives information regarding current and emerging material cybersecurity threat risks and our ability to mitigate those risks. Our Board of Directors receives prompt and timely information regarding any cybersecurity incident that meets established reporting thresholds, as well as ongoing updates regarding any such incident until it has been addressed. 75 Our Head of IT , who leads our cybersecurity risk management and strategy processes , has over ten years of information technology and cybersecurity work experience. This risk management team member is informed about and monitors the prevention, mitigation, detection, and remediation of cybersecurity incidents through their management of, and participation in, the cybersecurity risk management and strategy processes described above, including the operation of our incident response plan.

Company Information