LAVA Therapeutics NV 10-K Cybersecurity GRC - 2025-03-28

Page last updated on March 28, 2025

LAVA Therapeutics NV reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-03-28 16:06:33 EDT.

Filings

10-K filed on 2025-03-28

LAVA Therapeutics NV filed a 10-K at 2025-03-28 16:06:33 EDT
Accession Number: 0001558370-25-003988

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C: Cybersecurity Risk management and strategy We have implemented and maintain various information security processes designed to identify, assess and manage material risks from cybersecurity threats to our critical computer networks, third-party hosted services, communications systems, hardware and software, and our critical data, including intellectual property, confidential information that is proprietary, strategic or competitive in nature, employee personal information, and clinical trial data (Information Systems and Data). We leverage third-party service providers to help management identify, assess, and manage our cybersecurity threats and risks. With the assistance of our third-party service providers, we identify and assess risks from cybersecurity threats by monitoring and evaluating our threat environment and our risk profile using various methods including, for example multiple layers of automated tools to assess and mitigate real-time threats, continual and periodic scans of the threat environment, and conducting internal/external audits, and third-party threat assessments. Depending on the environment and system, we implement and maintain various technical, physical, and organizational measures, processes, standards and policies designed to manage and mitigate material risks from cybersecurity threats to our Information Systems and Data, including, for example: an incident response policy, tools designed to assist with incident detection and response, data encryption for certain data, network security controls, data segregation for certain data, access controls, penetration testing, and employee training. We also maintain an information security policy and cybersecurity insurance. We use third-party service providers to assist management in identifying, assessing, and managing material risks from cybersecurity threats, including, for example, outside legal counsel, threat intelligence service providers, cybersecurity consultants, cybersecurity software providers, and managed cybersecurity service providers. Additionally, our third-party service providers perform a variety of functions throughout our business, such as application providers, hosting companies, contract research organizations, contract manufacturing organizations, distributors, and supply chain resources. Depending on the nature of the services provided, the sensitivity of the Information Systems and Data at issue, and the identity of the provider, our review of that third party’s security program, due diligence may involve different levels of assessment designed to help identify cybersecurity risks associated with a provider and impose contractual obligations related to cybersecurity on the provider. For a description of the risks from cybersecurity threats that may materially affect us and how they may do so, see our risk factors under Part 1. Item 1A. Risk Factors in this annual report on Form 10-K, including risks related to regulatory compliance and general risk factors. Governance Our board of directors addresses our cybersecurity risk management as part of its general oversight function. The audit committee of the board is responsible for overseeing our cybersecurity risk management processes, including overseeing mitigation of risks from cybersecurity threats. Our cybersecurity risk assessment and management processes are implemented and maintained by certain senior management, including the Chief Financial Officer (CFO), leveraging the expertise of our third-party service providers, including our part-time IT and security consultant, who has over 23 years of experience in IT and 16 years of IT security experience. The CFO has 22 years of experience managing IT departments in life science companies and has devoted significant attention to evaluation of risks posed by cybersecurity threats and means to mitigate those risks, while evaluating strategies to gain a high level of cyber security. The CFO is responsible for hiring appropriate personnel, helping to integrate cybersecurity risk considerations into our overall risk management strategy, communicating key priorities to relevant personnel, approving budgets, helping prepare for cybersecurity incidents, approving cybersecurity processes, and reviewing security assessments and other security-related reports. Our cybersecurity incident response policy is designed to escalate certain cybersecurity incidents to members of management depending on the circumstances, including to the General Counsel. Members of management, including the General Counsel and CFO, will work with our incident response team to help us mitigate and remediate cybersecurity incidents of which they are notified. In addition, our incident response policy includes reporting to the audit committee of the board of directors for certain cybersecurity incidents. The audit committee receives quarterly reports from management concerning our information security policy and incident response policy and the processes we have implemented to address them. The audit committee also has access to various reports, summaries or presentations related to cybersecurity threats, risk and mitigation.

Company Information