HCW Biologics Inc. 10-K Cybersecurity GRC - 2025-03-28

Page last updated on March 28, 2025

HCW Biologics Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-03-28 15:45:25 EDT.

Filings

10-K filed on 2025-03-28

HCW Biologics Inc. filed a 10-K at 2025-03-28 15:45:25 EDT
Accession Number: 0000950170-25-046724

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C Cybersecurity. Risk Management We recognize the importance of assessing, identifying, and managing material risks associated with cybersecurity threats , as such term is defined in Item 106(a) of Regulation S-K. These risks include, among other things, operational risks; intellectual property theft; fraud; extortion; harm to employees or customers; violation of privacy or security laws and other litigation and legal risk; and reputational risks. We also maintain an incident response plan to coordinate the activities we take to protect against, detect, respond to and remediate cybersecurity incidents, as such term is defined in Item 106(a) of Regulation S-K, as well as to comply with potentially applicable legal obligations and mitigate brand and reputational damage. As of the reporting date, the Company updated and published other cybersecurity policies and procedures for access control, including remote access; business continuity; information security related to governance, managing and planning; risk management; and vendor risk and management, which leverages and coordinates with procedures in place for the accounting payable process. We have established physical, electronic, and organizational measures to safeguard and secure our systems to prevent a data compromise. These approaches vary in maturity across our business and we work to continually improve them. Our approach includes, among other things: - conducting regular network and endpoint monitoring, vulnerability assessments, and penetration testing to improve our information systems, as such term is defined in Item 106(a) of Regulation S-K is scheduled on 2024 IT plan; - requiring regular cybersecurity training programs for employees, management and directors; - comparing our processes to standards set by the National Institute of Standards and Technology (“NIST”); 74 - leveraging the NIST incident handling framework to help us identify, protect, detect, respond, and recover when there is an actual or potential cybersecurity incident; - operating threat intelligence processes designed to model and research our adversaries; - conducting regular phishing email simulations for all employees and all contractors with access to corporate email systems to enhance awareness and responsiveness to such possible threats; - maintaining copies of production data in two separate locations; - running a backup for our data on a daily basis and these files are held for several months; - testing the backup and recovery systems frequently; - employing a multi-factor authorization for employees who are working remotely, in order to mitigate risks of compromising email accounts; and - holding an insurance policy to mitigate risks for cybersecurity incidents. Our process for identifying and assessing material risks from cybersecurity threats operates alongside our broader overall risk assessment process, covering all Company risks. As part of this process, appropriate HCWB personnel collaborate with subject matter specialists, as necessary, to gather insights for identifying and assessing material cybersecurity threat risks, their severity, and potential mitigation. A key element of managing cybersecurity risk is the ongoing assessment and testing of our processes and practices through auditing, assessments, drills and other exercises focused on evaluating the sufficiency and effectiveness of our risk mitigation. We engage third parties to perform assessments of our cybersecurity measures , including information security maturity assessments and independent reviews of our information security control environment and operating effectiveness. Certain results of such assessments and reviews are reported by the key members of management, the and the board of directors, as appropriate. Our policy is to conduct an annual cybersecurity assessment and make adjustments to our cybersecurity processes and practices as necessary based on the information provided by the third-party assessments and reviews. For the year ended December 31, 2024, the findings of our annual cybersecurity assessment indicated that HCW Biologics has implemented several key security measures, including documented policies, data encryption, unique user identifiers, DNS filtering, and anti-malware tools. We are in the proactive range for compliance with SEC cybersecurity guidelines, that is, we can address common attacks and current threats. For the year ending December 31, 2025, the Company has launched projects to improve our controls, particularly for logging and monitoring and vulnerability assessments. We currently leverage an AI-driven endpoint threat detection and prevention system. To strengthen our cybersecurity posture, we intend to implement a Security Information and Event Management (SIEM) solution that will aggregate and analyze logs from all critical infrastructure, including network, cloud, and endpoint security platforms. We also intend to expand our vulnerability management process to ensure regular assessments of public-facing systems and network devices. We are currently conducting a data migration project is expected to enhance the Company’s security posture and resilience against potential threats, in compliance with SEC guidelines. For the year ended December 31, 2024, we are not aware of any cybersecurity incidents that have materially affected or are reasonably likely to materially affect the Company, including our business strategy, results of operations, or financial condition. We describe whether and how risks from identified cybersecurity threats, including as a result of any previous cybersecurity incidents, have materially affected or are reasonably likely to materially affect us, including our business strategy, results of operations, or financial condition, under the heading “Risks Related to Data Privacy and Cybersecurity” included as part of our risk factor disclosures at Item 1A of this Annual Report, which disclosures are incorporated by reference herein. To date, we have not experienced a material cybersecurity incident and the expenses we have incurred from cybersecurity incidents were immaterial. This includes penalties and settlements, of which there were none. Governance Cybersecurity is an important part of our risk management processes and an area of increasing focus for our Board and management. Our Audit Committee of our Board of Directors is responsible for the oversight of risks from cybersecurity threats. At least annually, th e Audit Committee receives an overview from management of our cybersecurity threat risk management and strategy processes covering topics such as data security posture, results from third-party assessments, progress towards pre-determined risk-mitigation-related goals, our incident response plan, and material cybersecurity threat risks or incidents and developments, as well as 75 the steps management has taken to respond to such risks. In such sessions, the Audit Committee generally receives materials including a cybersecurity scorecard and other materials indicating current and emerging cybersecurity threat risks, and describing our ability to mitigate those risks, and discusses such matters with our Operations Administrator, who is supported by Compass MSP, a leading provider of technology managed services. Members of the Audit Committee are also encouraged to regularly engage in ad hoc conversations with management on cybersecurity-related news events and discuss any updates to our cybersecurity risk management and strategy programs. Material cybersecurity threat risks may also be considered during separate Board meeting discussions. Our cybersecurity risk management and strategy processes, which are discussed in greater detail above, are led by our Chief Executive Officer, who has founded and led several biotech companies for over 20 years, all of which have implemented systems and processes to protect sensitive clinical data and patient information. He is supported by our IT consultant, Compass MSP, a leading provider of technology managed services. Our consultant conducts a vulnerability assessment annually and tests our backup and recovery systems frequently. These members of management are informed about and monitor the prevention, mitigation, detection, and remediation of cybersecurity incidents through their management of, and participation in, the cybersecurity risk management and strategy processes described above, including the operation of our incident response plan. If a cybersecurity incident is determined to be a material cybersecurity incident, our incident response plan and cybersecurity disclosure controls and procedures define the process to disclose such a material cybersecurity incident.

Company Information