Traws Pharma, Inc. 10-K Cybersecurity GRC - 2025-03-31

Page last updated on March 31, 2025

Traws Pharma, Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-03-31 16:35:38 EDT.

Filings

10-K filed on 2025-03-31

Traws Pharma, Inc. filed a 10-K at 2025-03-31 16:35:38 EDT
Accession Number: 0001558370-25-004165

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBERSECURITY Risk Management and Strategy Due to the size of our company, we have not yet developed robust policies and processes for assessing, identifying, and managing material risk from cybersecurity threats . We have implemented access controls with respect to our systems, which we monitor regularly. We currently rely heavily on products and services provided by third-party suppliers to operate certain critical business systems, including without limitation, cloud-based infrastructure, encryption and authentication technology, email, and other functions. We rely on third party providers and outsourced IT services to protect, detect, monitor, mitigate and address cybersecurity related risks, including installing software for threat protection and malware. Such third party providers are tasked with notifying management of any material risks or cybersecurity concerns that they identify, which management then assesses and may bring to our audit committee or board of directors to discuss if deemed necessary or appropriate. We also alert employees to significant new cybersecurity issues on a regular basis. We rely heavily on third party service providers for our clinical development activities and cloud-based documentation and communications. A cybersecurity incident at a vendor or other third-party service provider could have a material and adverse impact on our business, results of operations and financial condition. We do not currently have a formal process in place for evaluating or reviewing third party vendor cybersecurity risks and procedures and rely on such third parties to implement adequate protectionary and detection measures. We do not specifically utilize assessors, consultants, auditors, or other third parties to evaluate or enhance our cybersecurity programs. On an annual basis, our information technology risks, controls and procedures are reviewed by third-party experts as part of our Sarbanes-Oxley review and testing. Board Governance and Management Our management team is primarily responsible for assessing and managing our strategic risk exposures, including material risks from cybersecurity threats, with assistance from third-party service providers. Management oversees our cybersecurity process on a day-to-day basis, including those described in “Risk Management and Strategy,” above. Our board of directors has oversight responsibility for risk management, which it administers directly and with assistance from its committees, primarily the audit committee. Throughout the year, the board and its committees engage with management to discuss a wide range of enterprise risks, including cybersecurity. The audit committee assists the board of directors by overseeing the steps management has taken to monitor and mitigate cybersecurity threats and risks. The audit committee receives reports annually from management on our cybersecurity strategy and program. Significant changes are reported to the audit committee from time to time. Cybersecurity incidents which are determined by management to be material will be reported immediately to the audit committee. To date, we are not aware of any cybersecurity incident that has had or is reasonably likely to have a material impact on our business or operations; however, because of the frequently changing attack techniques, along with the increased volume and sophistication of the attacks, there is the potential for us to be adversely impacted. This impact could result in reputational, competitive, operational or other business harm as well as financial costs and regulatory action. See “Part I -Item 1A. Risk Factors” for further discussion of these risks.

Company Information