{"url_path":"/sec/grce/10-k/2026/item-1c","section_key":"item-1c","section_title":"Item 1C Cybersecurity","topic":"sec","document":{"doc_type":"10-K","doc_date":"2026-06-18","source_url":"https://www.sec.gov/Archives/edgar/data/1444192/0001140361-26-025662-index.html","accession_number":"0001140361-26-025662","cik":"0001444192","ticker":"GRCE","issuer_name":"Grace Therapeutics, Inc.","edgar_url":"https://www.sec.gov/Archives/edgar/data/1444192/0001140361-26-025662-index.html","primary_entity_key":"0001444192","primary_entity_name":"Grace Therapeutics, Inc."},"word_count":635,"has_tables":true,"body_markdown":"Item 1C.\n\n Cybersecurity\n\n \n\nWe are increasingly dependent on third-party provided software applications and computing infrastructure to conduct key operations. We depend on both our own procured systems, networks, and technology as well as the systems, networks and technology of our contractors, consultants, vendors and other business partners.\n\n \n\nGiven the importance of cybersecurity to our business, we maintain a cybersecurity program that is based on a set of cybersecurity policies and processes to support our controls and our preparedness for treatment of identified information security risks. We also undergo periodic evaluations of our cybersecurity program through cybersecurity assessment and cybersecurity incident response tabletop exercises, conducted by our cybersecurity advisors. As a result of such assessments and exercises, a number of processes have been established or are being enhanced upon to support the protection of our data and systems.\n\n \n\nWe assess and manage cybersecurity\nrisks associated with third-party service providers through a range of\nprocesses, including performing risk-based due diligence during onboarding, and\nconducting periodic reassessments of key and higher-risk vendors based on\ndefined criticality and risk criteria.\n\n \n\nWe also seek to obtain and review\ncybersecurity audit reports (e.g., SOC reports) where available and incorporate\nappropriate security, data protection, and incident notification provisions\ninto our contracts. While these measures are designed to mitigate third-party\nrisks, they may not prevent all adverse events.\n\n \n\nProcess for Assessing, Identifying and Managing Material Risks from Cybersecurity Threats\n\n \n\nIn the event of a cybersecurity\nincident, we maintain a Cybersecurity Incident Response Plan. Pursuant to the\nplan and its escalation protocols, designated personnel are responsible for\nassessing the severity of a cybersecurity incident and associated threat,\ncontaining the threat, remediating the threat, including recovery of data and\naccess to systems, analyzing any reporting obligations associated with the cybersecurity\nincident, and performing post-incident analysis and program enhancements, as\nappropriate. We have a relationship with various law firms to assist with\nadvisory on legal aspects of addressing cybersecurity incidents and\ncommunicating accordingly.\n\n \n\nGovernance\n\n \n\nManagement Oversight\n\n \n\nThe existing controls and processes employed to assess, identify and manage material risks from cybersecurity threats are implemented and overseen by our information technology (“IT”) consultant. Our IT consultant leverages its over 35 years of experience. Our IT consultant is responsible for the day-to-day management of the cybersecurity program, including the prevention, detection, investigation, response to, and recovery from cybersecurity incidents. Our IT consultant reports on its activities to senior management who then assess and manage risks of cybersecurity threats.\n\n \n\nBoard Oversight\n\n \n\nWhile our\nBoard of Directors (the “Board”) has overall responsibility for risk oversight,\nthe Audit Committee of the Board (the “Audit Committee”) oversees cybersecurity\nrisk matters. The Audit Committee is responsible for reviewing, monitoring,\nreporting and, where appropriate, providing recommendations to the Board\nregarding compliance with our internal policies and its progress in remedying\nany material deficiencies, including those related to our security policies,\nincluding the physical safeguarding of corporate assets and security of our\nnetworks and information systems. The Audit Committee receives periodic updates\nfrom management regarding the cybersecurity program, including top threats and\nrisks, and updates on the cybersecurity roadmap.\n\n \n\nCybersecurity Risks\n\n \n\nWe maintain a Risk Management Policy that governs the process in which we identify cybersecurity risks, evaluate their associated impacts and risk levels, and document them accordingly in the Cybersecurity Risk Register.\n\n \n\n58\n\n*Table of Contents*\n\nAlthough we have experienced phishing\nand similar attempts for unauthorized access to our information technology\nsystems and data, during the last three years, we did not experience any\nmaterial cybersecurity incidents or threats, including as a result of any prior\nincidents or attempts, that have materially affected, or are reasonably likely\nto materially affect, our business strategy, results of operations, or\nfinancial condition. However, evolving cybersecurity threats make it\nincreasingly challenging to anticipate, detect, and defend against such threats\nand incidents. For additional information, see “Item 1A—Risk Factors.”"}