Third Harmonic Bio, Inc. 10-K Cybersecurity GRC - 2025-03-27

Page last updated on March 27, 2025

Third Harmonic Bio, Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-03-27 08:00:40 EDT.

Filings

10-K filed on 2025-03-27

Third Harmonic Bio, Inc. filed a 10-K at 2025-03-27 08:00:40 EDT
Accession Number: 0000950170-25-045736

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity. The Board’s Roles and Responsibilities The Board of Directors, as a whole and at the subcommittee level , oversees and monitors our cybersecurity risk, receiving regular updates from management on the status of our current cybersecurity risks, a prioritization of key risk areas to be mitigated, and any significant cyber incidents that have occurred or are reasonably likely to occur. Since 2023, we have engaged in periodic formal cybersecurity risk assessments conducted by an expert third party. The findings from that formal assessment have informed our ongoing cybersecurity roadmap which is updated at least annually. The Audit Committee plays a key role by ensuring that the prioritization of the roadmap supports our business objectives, and by making decisions, when called upon, of whether specific cybersecurity risks should be mitigated or if that risk is acceptable to the business. Risk Management and Strategy Information technology and the digital transformation of our assets and business processes are critical to our growth strategy. Inherent to information technology and digital transformation is the commensurate cybersecurity risk, which we manage by maintaining a cybersecurity program that is integrated into our overall risk management process. Our cybersecurity program is overseen by our Director, IT Infrastructure & Cybersecurity and utilizes a risk-based methodology to support the confidentiality, integrity and availability of our digital assets. The cybersecurity program is supported at the highest level within the Company, formally reporting to the Audit Committee twice annually and more often if required. As a part of the cybersecurity program, we conduct assessments, both internally and by independent third parties, to identify and prioritize the mitigation of cybersecurity risks. We also maintain a formal and mandatory cybersecurity awareness training program for all employees that includes annual training on information security best practices in high risk areas such as phishing and authentication. Additional role-based training is provided to finance team members, due to the elevated privilege and risk associated with their duties. All employees are also tested periodically for their cybersecurity awareness. We rely on information technology systems and infrastructure for many of our business and internal processes. Some of these systems and infrastructure are managed by third-party service providers who are not under our direct control. In order to mitigate material risks from our critical finance-related third-party service providers, we annually review their SOC1 reports for any noted material incidents and risks. For our non-finance service providers, we are currently implementing cybersecurity controls, including but not limited to requiring all critical vendors to notify us should the vendor fall victim to, and become aware of a material cybersecurity incident, and reviewing any available SOC2 or similar compliance reports should they be available. Our vendor selection and management processes include the assessment of vendors’ cybersecurity controls. While tools and processes are in place to mitigate cybersecurity risks, we are continuing to establish an Incident Response Plan, or IRP, to analyze, contain, and remediate any cybersecurity incidents which may occur despite these mitigations. The IRP, based on the National Institute of Standards and Technology framework, defines a timely, consistent, and compliant response to cybersecurity incidents and includes notifications to the Audit Committee and any relevant governing bodies such as the SEC in the event that the cybersecurity incident is deemed to be material. Although we have implemented a cybersecurity program designed to protect and preserve the confidentiality, integrity and availability of our information systems and assets, we also maintain cybersecurity insurance to manage potential liabilities resulting from specific cyber incidents. However, it is important to note that although we maintain cybersecurity insurance, there can be no guarantee that the insurance will cover us, wholly or partially, from potential liabilities, or that such insurance proceeds will be paid to us in a timely manner. 73 While we are not aware of any significant cybersecurity incidents that have occurred to date, we are exposed to, and may in future be adversely impacted by cyberattacks and interruptions to our information technology systems and infrastructure. Despite the security measures we have implemented, certain cyber incidents could materially disrupt our operational systems, and/or result in the loss of trade secrets, proprietary information, or competitively sensitive data. We seek to maintain a robust and continuously improving cybersecurity program however the impact of certain cybersecurity incidents could have a materially adverse impact on our competitive position, reputation, operations and/or financial position. We remain vigilant in continuously improving our cybersecurity program and its controls. Governance and Management’s Responsibilities IT management is responsible for the cybersecurity program that assesses and manages cybersecurity risk. Specifically, our Director, IT Infrastructure & Cybersecurity is responsible for the prevention, mitigation, detection, and remediation of cybersecurity incidents while at the executive level, the Chief Administrative Officer oversees the program and is the executive sponsor. Our Director, IT Infrastructure & Cybersecurity monitors cybersecurity incidents and does so by working closely with expert technology and security partners. We and our partners deploy a variety of technologies and processes, including but not limited to intrusion monitoring, detection and response, patch management, threat hunting, identity and access management, assessments, audits and tests. Our Director, IT Infrastructure & Cybersecurity has relevant expertise in cybersecurity having spent the previous two years prior to joining the Company building a SOX compliant IT controls framework for a biotechnology company in preparation for its initial public offering. Prior to that, our Director, IT Infrastructure & Cybersecurity spent five years at a publicly traded pharmaceuticals company, where he was responsible for the SOX cybersecurity and compliance of systems, processes, and policies. In addition to SOX compliance, our Director, IT Infrastructure & Cybersecurity has extensive experience with other compliance frameworks, including National Institute of Standards and Technology (NIST), HIPAA, Clinical Laboratory Improvement Amendments (CLIA), and GxP security models. Cybersecurity threats, including any previous cybersecurity incidents, have not materially affected or are reasonably likely to affect us , including its business strategy, results of operations or financial condition.

Company Information