Connect Biopharma Holdings Ltd 10-K Cybersecurity GRC - 2025-03-31

Page last updated on March 31, 2025

Connect Biopharma Holdings Ltd reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-03-31 09:04:23 EDT.

Filings

10-K filed on 2025-03-31

Connect Biopharma Holdings Ltd filed a 10-K at 2025-03-31 09:04:23 EDT
Accession Number: 0001835268-25-000014

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBERSECURITY Our Board of Directors (the “Board”) and management recognize the importance of maintaining the trust and confidence of our clinical trial participants, investors, business partners and employees. The Board and the Audit Committee of the Board (the “Audit Committee”) are actively involved in oversight of our cybersecurity program as part of our approach to risk management. Our cybersecurity policies, processes and practices are integrated into our operations and are based on recognized standards such as the National Institute of Standards and Technology Cybersecurity Framework. In general, we seek to address cybersecurity risks through a comprehensive, coordinated approach that is focused on preserving the confidentiality, integrity, security, and availability of our critical systems and the information that we create through our business operations by identifying, preventing, and mitigating cybersecurity threats and effectively responding to cybersecurity incidents when they occur. Risk Management and Strategy We design and assess our program based on the National Institute of Standards and Technology’s Cybersecurity Framework (“NIST CSF”). This does not imply that we meet any particular technical standards, specifications, or requirements, only that we use the NIST CSF as a guide to help us identify, assess, and manage cybersecurity risks relevant to our business. Our cybersecurity risk management program is integrated into our overall enterprise risk management program, and shares common methodologies, reporting channels and governance processes that apply across the enterprise risk management program to other legal, compliance, strategic, operational, and financial risk areas. Key elements of our cybersecurity risk management program include, but are not limited to, the following: - A cybersecurity incident response plan that includes procedures for responding to cybersecurity incidents; - The utilization of Microsoft 365 services for email, data storage, Identity Provider (“IdP”) for Single Sign-On (“SSO”), and other technical controls such as remote user and device management; - Microsoft 365 configurations which are aligned with security and industrial standards, including automatic risk management mechanisms and alert notifications for our Information Technology (“IT”) team; - A zero trust approach to cybersecurity focused on preventing and limiting damage in the event that a malicious actor gains access to our network and operating on the principle “never trust, always verify,” continuously authenticating and authorizing users and devices that seek to obtain access to our systems and data; - Privileged access management protocols that require user access requests to receive formal, documented approvals with specific business justifications and, following receipt of such approvals, the provision of only the minimum access necessary for the approved purpose; - Regular monitoring of our Microsoft security score, which serves as a benchmark for our security posture and guides our continuous improvement efforts; - Risk assessments designed to help identify material cybersecurity risks to our critical systems, information, products, services, and our broader enterprise IT environment, including annual external assessments and vulnerability scanning; - A security team principally responsible for managing our cybersecurity risk assessment processes, our security controls, and our response to cybersecurity incidents; - Regular security awareness training sessions for users, including simulated phishing email campaigns managed by KnowBe4, a third-party leader in security awareness training; - A disaster recovery program, including business continuity procedures in the event of a disaster, backup procedures, failover features with up-to-date SaaS services, and data recovery protocols; and - A third-party risk management (“TPRM”) process to safeguard against risks posed by service providers, suppliers and vendors, based on our assessment of their respective criticality to our operations and respective 99 TABLE OF CONTENTS risk profile, encompassing risk identification, due diligence and risk assessment prior to engagement, and categorization of third parties based on risk levels . We have not identified risks from known cybersecurity threats, including as a result of any previous cybersecurity incidents, that have materially affected or are reasonably likely to materially affect us, including our business strategy, results of operations, or financial condition. We did not experience any material IT security incidents during the fiscal year. We face risks from cybersecurity threats that, if realized, are reasonably likely to materially affect us, including our operations, business strategy, results of operations, or financial condition. See “Risk Factors - Our IT Systems, or those of our CROs, CMOs, other contractors, vendors, consultants or collaborators, may fail or suffer system failures, security breaches or deficiencies in cybersecurity, which could results in a material disruption of our product development programs, compromise sensitive information related to our business or trigger contractual and legal obligations. Cybersecurity Governance Our Board considers cybersecurity risk as part of its risk oversight function and has delegated to the Audit Committee oversight of cybersecurity and other information technology risks. The Audit Committee oversees management’s implementation of our cybersecurity risk management program. The Audit Committee receives periodic reports from management on our cybersecurity risks, and our IT team directly reports to the Audit Committee on a periodic basis. In addition, management is obligated to update the Audit Committee, as necessary, regarding any significant cybersecurity incidents, as well as any incidents with lesser impact potential. The Audit Committee reports to the full Board regarding its activities, including those related to cybersecurity. The full Board also receives briefings from management on our cyber risk management program. Board members receive presentations on cybersecurity topics from internal staff as part of the Board’s continuing education on topics that impact public companies. Our Director of Information Technology , who reports to our principal financial officer, leads the operational oversight of Company-wide cybersecurity strategy, policy, standards, and processes and works across relevant departments to assess, manage, and help prepare us and our directors and employees to address, cybersecurity risks. Specific cybersecurity related responsibilities of the Director of Information Technology include overseeing our processes and strategies for the detection, mitigation, and remediation of cybersecurity incidents. Our Director of Information Technology has over 25 years of diverse experience in information technology, including management roles at managed service providers, enabling him to effectively oversee cybersecurity risks and threats. Our management team supervises efforts to prevent, detect, mitigate, and remediate cybersecurity risks and incidents through various means, which may include briefings from internal security personnel, threat intelligence and other information obtained from governmental, public or private sources, including external consultants engaged by us, and alerts and reports produced by security tools deployed in the IT environment.

Company Information