Celcuity Inc. 10-K Cybersecurity GRC - 2025-03-31

Page last updated on March 31, 2025

Celcuity Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-03-31 17:00:31 EDT.

Filings

10-K filed on 2025-03-31

Celcuity Inc. filed a 10-K at 2025-03-31 17:00:31 EDT
Accession Number: 0001641172-25-001826

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. Cybersecurity Risk Management & Strategy Our cybersecurity risk management process is a component of our overall approach to managing material risks that could impact our operations, including cybersecurity threats. In general, we seek to manage material internal and third-party cybersecurity risks through an approach that focuses on: (i) protecting information systems and the information residing therein; (ii) identifying, preventing, and mitigating cybersecurity threats; and (iii) assessing and responding to cybersecurity incidents when they occur. Maintaining, monitoring, and updating our information security program-in an effort to ensure that it remains reasonable and appropriate in light of changes in the security threat landscape, available technology, and applicable legal and contractual requirements-is an ongoing effort. We have implemented and maintain various processes, procedures, and measures to support our overall risk management strategy and to manage and mitigate the material risks posed by cybersecurity threats to our systems and data. With respect to cybersecurity, these measures include conducting risk assessments of our operations and using a risk register to assess identified risks; developing business continuity, disaster recovery and incident response plans; implementing technical safeguards and tools; conducting ongoing cybersecurity awareness training; and using contractual protections where appropriate. Our incident response plan outlines the procedures for reporting, investigating, and remediating cybersecurity incidents, including a framework to facilitate the escalation to our management team and board of cybersecurity incidents, so that our management team is alerted in a timely manner to material information that would be required to be disclosed or reported. Our IT department maintains policies and procedures regarding network security, data protection and incident response. Pursuant to those policies, IT engages with the Chief Financial Officer, General Counsel and other experts when assessing cybersecurity threats, incident response, and making disclosure determinations following a data or network breach. The Vice President, IT is accountable at the management level for our overall IT risk management program. Additionally, our Chief Executive Officer and Audit Committee receives regular updates from the Chief Financial Officer, General Counsel and the Vice President, IT about significant threats and incidents involving cybersecurity and data protection, as well as security enhancements made to our IT infrastructure. We use third-party service providers for a variety of services throughout our business, ranging from infrastructure support and maintenance, cybersecurity incident response, data protection and privacy compliance. In addition, we engage with contract research organizations, contract manufacturing organizations, distributors, and other supply chain resources. We believe that the use of external service providers improves our operational capabilities, and we have implemented a vendor qualification and management program that applies to our service providers, including those that handle protected health information, personal information, or other information subject to protection under applicable privacy and data protection regulations. This program is designed to identify, address and seek to mitigate potential cybersecurity and data protection risks that arise from our use of external service providers. While we do not have full visibility into the cybersecurity risk management processes of our vendors, we require new service providers to complete a vendor questionnaire that identifies the vendor’s network and user protections, such as the use of multi-factor authentication, and other cybersecurity risk management processes. Vendors that store or access our confidential information are required to certify that their information systems comply with applicable industry guidelines for cybersecurity, backup, and system recovery. We rely on our third-party service providers to provide notification of, and remediate, significant cybersecurity threats and cybersecurity incidents that jeopardize the confidentiality, integrity, or availability of our information. 37 We periodically evaluate, test, and update our policies, standards, and processes to mitigate cybersecurity threats and manage incidents effectively. These efforts include risk assessments, vulnerability assessments and remediations, phishing tests and employee education, and external scans. Additionally, to enhance our capabilities, we periodically engage third-party service providers, including cybersecurity consultants, to incorporate threat intelligence into our processes. As of the date of this Form 10-K, we are no t aware of any risks from cybersecurity threats, including those resulting from any previous cybersecurity incidents experienced by us or, to our knowledge, by any of our third-party service providers, that have materially affected, or are reasonably likely to materially affect, our business strategy, results of operations, or financial condition. For further discussion of cybersecurity and data privacy risks that may materially affect the Company and how they may do so, see “Risk Factors-If our information technology systems or data, or those of third parties upon which we rely, are or were compromised, we could face clinical trial delays; regulatory investigations or actions; litigation; fines and penalties; disruptions of our business operations; reputational harm; and other adverse consequences,” included in Item 1A of this Annual Report on Form 10-K. Governance Our Audit Committee oversees Celcuity’s management of risks arising from cybersecurity threats. Our CEO delivers periodic briefings to the Board and Audit Committee on material cybersecurity risks that are pertinent to our business operations. Additionally, we have processes to promptly notify the Audit Committee and Board of a significant cybersecurity incident and to inform the Audit Committee and Board of remediation progress, as appropriate. The Vice President, IT has overall responsibility for our information security program, with support from our management team and specialized partners in cybersecurity incident response and privacy. The process includes managing our incident response strategy. If a cybersecurity incident meets certain criteria, however, our CEO, CFO and General Counsel will become involved with the response strategy, including decisions about public disclosure and reporting. Our Vice President, IT also coordinates with our CEO, CFO and General Counsel to determine strategic cybersecurity priorities and to establish compliance procedures. We believe our business leaders have the appropriate expertise, background and depth of experience to manage risks arising from cybersecurity threats. Our Vice President, IT has served in various roles in information technology and information security for over three decades, which includes experience in the biotech, pharmaceutical and healthcare industries and experience in cybersecurity risk management and data privacy compliance. In the ordinary course of our business, we, and the third parties upon which we rely, collect, process, receive, generate, use, transfer, disclose, make accessible, protect, secure, dispose of, transmit, share and store (collectively, “process”) proprietary, confidential, and sensitive information, including protected health information, personal information, credit card and other financial information, or other sensitive information owned or controlled by ourselves or our customers, payors, and other parties.

Company Information