CORRESP 1 filename1.htm CORRESP

Prothena Corporation plc

77 Sir John Rogerson’s Quay, Block C

Grand Canal Docklands

Dublin 2, D02 VK60, Ireland

August 4, 2023

United States Securities and Exchange Commission

Division of Corporation Finance

Office of Life Sciences

100 F Street, N.E.

Washington, D.C. 20549

 

Attention:   

Suzanne Hayes

Tyler Howes

Re:   

Prothena Corporation plc

Form 10-Q for the Fiscal Quarter Ended March 31, 2023

Filed May 4, 2023

File No. 001-35676

Ladies and Gentlemen:

Prothena Corporation plc (the “Company”) is providing this letter in response to the comment received from the staff (the “Staff”) of the United States Securities and Exchange Commission (the “Commission”) by letter dated July 25, 2023, relating to the Company’s Quarterly Report on Form 10-Q for the fiscal quarter ended March 31, 2023 (the “Q1 Form 10-Q”). To facilitate your review, we have reproduced the Staff’s comment in bold italics and have followed the comment with the Company’s response in ordinary type.

Form 10-Q for the Fiscal Quarter Ended March 31, 2023

General

 

1.

We note your inclusion of a risk factor discussing risks related to hypothetical data breaches and other cybersecurity incidents. We also note that this risk factor has not been updated to discuss the data breach you suffered from December 20, 2021 to April 22, 2022 wherein an employee email was temporarily accessed by a third-party without authorization. Please provide your analysis supporting the conclusion that this incident did not warrant disclosure or the updating of your hypothetical cybersecurity risk factor. Please also tell us about any ongoing processes by which you are evaluating whether disclosure of cybersecurity incidents is warranted under the federal securities laws.

 

1

Company Response:

In response to the Staff’s comment, the Company respectfully advises the Staff that the Company has in place an incident response plan (the “IRP”) to respond to breaches and other cybersecurity incidents. In accordance with the IRP, the Company and its advisors performed an assessment of a data breach that the Company suffered from approximately December 20, 2021, to April 22, 2022, in which a bad actor compromised a single employee email account and attempted to redirect vendor payments to alternate bank accounts, and concluded that the incident was not material and did not warrant disclosure under the federal securities laws. Specifically, promptly after identifying the breach, the Company engaged third-party advisors, including external cybersecurity and legal advisors. The Company and its advisors performed a forensic investigation, assessed the breach and its impacts and concluded that the Company’s controls and procedures were effective in preventing any wire fraud or misdirected payments. The Company notified individuals and government authorities in certain jurisdictions that certain personally identifiable information may have been accessed by the bad actor. No litigation, regulatory actions, or other legal claims resulted from the data breach or subsequent notification process, other than routine follow-up inquiries from some notified government authorities, who then took no further action.

To be as responsive as possible to the Staff’s comment, the Company enhanced its disclosure in the Company’s Quarterly Report on Form 10-Q for the fiscal quarter ended June 30, 2023, filed with the Commission on August 3, 2023, under the heading “Risk Factors.” The changes to such disclosure (as compared to the disclosure in the Q1 Form 10-Q) to address the Staff’s comment are highlighted below in bold underlined and strikethrough text:

We may experience breaches or similar disruptions of our information technology systems or data.

Our business is increasingly dependent on critical, complex, and interdependent information technology systems to support business processes as well as internal and external communications. Despite the implementation of security measures, our internal computer systems, and those of our current and any future CROs and other contractors, consultants, and collaborators, have been subject to and remain are vulnerable to damage from cyberattacks, “phishing” attacks, ransomware, computer viruses, unauthorized access, natural disasters, terrorism, war, and telecommunication or electrical failures. Attacks upon information technology systems are increasing in their frequency, levels of persistence, sophistication, and intensity, and are being conducted by sophisticated and organized groups and individuals with a wide range of motives and expertise. As a result of the COVID-19 pandemic, we may also face increased cybersecurity risks due to our reliance on internet technology and the number of our employees who are working remotely, which may create additional opportunities for cybercriminals to exploit vulnerabilities. Furthermore, because the techniques used to obtain unauthorized access to or to sabotage systems change frequently and often are not recognized until launched against a target, we may be unable to anticipate these techniques or implement adequate preventative measures. We may also experience security breaches that may remain undetected for an extended period. Any breakdown, malicious intrusion, or computer virus could result in the impairment of key business processes or breach of data security, which could result in a material disruption of our development programs and cause interruptions in our business operations, whether due to a loss of our trade secrets or other intellectual property or lead to unauthorized disclosure

 

2

of personal data of our employees, third parties with which we do business, clinical trial participants, or others. For example, the loss of clinical trial data from completed or future clinical trials could result in delays in our regulatory approval efforts and significantly increase our costs to recover or reproduce the data. In addition, such a breach may require notification to governmental agencies, the media, or individuals pursuant to applicable data privacy and security law and regulations. Such an event could have an adverse effect on our business, financial condition, or results of operations.”

*    *     *

 

3

If you have any questions regarding the matters in this letter, please reach out to the undersigned at (650) 837-8550.

Sincerely,

/s/ Michael Malecek            

Michael Malecek

Chief Legal Officer

 

Cc:

Tran Nguyen, Prothena Corporation plc

Karin Walker, Prothena Corporation plc

Sharon Flanagan, Sidley Austin LLP

Sonia Barros, Sidley Austin LLP

Carlton Fleming, Sidley Austin LLP

 

4