ITEM 1C. CYBERSECURITY

 

Cybersecurity Risk Management and Strategy

---

Our process for managing cybersecurity risk is comprised of technologies, controls, and procedures designed to detect, assess, and manage threats and control access. We utilize a variety of systems, software, and services including firewalls, network and endpoint monitoring, anti-malware, detection and response, patch management, and backups to mitigate, identify, analyze, and respond to identified vulnerabilities and incidents in a timely manner.

We evaluate our security posture on an ongoing basis via vulnerability scans, penetration testing, and threat intelligence monitoring. We periodically conduct third-party security assessments and regularly evaluate our processes against industry standard security frameworks. We conduct regular security training to elevate awareness and foster a security conscious culture among all employees.

We leverage third party service providers and solutions in many aspects of our operations. Our vendor management and oversight procedures include assessment of cyber security risk.

We do not believe there are any currently known cybersecurity risks that are reasonably likely to materially impact our business strategy, operations, or financial condition. If we were to experience a material cybersecurity incident in the future, such incident may have an adverse effect, including on our business operations, operating results, or financial condition. For more information regarding cybersecurity risks that we face and the related potential impacts on our business, see the risk factor titled “Our internal computer systems, or those of our third-party collaborators or other service providers, may fail or suffer security breaches and cyber-attacks, which could result in a material disruption of our development programs.”

Cybersecurity Governance

 

Cybersecurity is an important part of our risk management processes and an area of increasing focus for our board of directors, or Board, and management.

The Audit Committee of our Board, or Audit Committee, is responsible for the oversight of risks from cybersecurity threats. At least annually, the Audit Committee receives an overview from management of our cybersecurity threat risk management and strategy processes covering topics such as data security posture, results from third-party assessments, progress towards pre-determined risk-mitigation-related goals, our incident response plan, and material cybersecurity threat risks or incidents and developments, as well as the steps management has taken to respond to such risks. Members of the Audit Committee are also encouraged to regularly engage in ad hoc conversations with management on cybersecurity-related news events and discuss any updates to our cybersecurity risk management and strategy programs. Potential material cybersecurity threat risks are also considered during Board meeting discussions of important matters like risk management, business continuity planning, and other relevant matters.

 

Our cybersecurity risk assessment and management processes are implemented and maintained by certain members of our management, including our Senior Director of Information Technology who has served in various roles managing information technology and information security for over twenty-five years and reports directly to the Chief Executive Officer.

Management is also responsible for hiring appropriate personnel, integrating cybersecurity considerations into our overall risk management strategy, and for communicating key priorities to employees, as well as for approving budgets, helping prepare for cybersecurity incidents, approving cybersecurity processes, and reviewing security assessments and other security-related reports.

 

Our cybersecurity incident response and vulnerability management processes involve management, who participates in our disclosure controls and procedures. Our cybersecurity incident response and vulnerability management processes are designed to escalate certain cybersecurity incidents and vulnerabilities to members of management depending on the circumstances, including work with the company’s incident response team to help us mitigate and remediate cybersecurity incidents of which they are notified. In addition, the company’s incident response processes include reporting to the Audit Committee for certain cybersecurity incidents.

Management is involved with our efforts to prevent, detect, and mitigate cybersecurity incidents by overseeing preparation of cybersecurity policies and procedures, testing of incident response plans, and engagement of vendors to conduct penetration tests. Management participates in cybersecurity incident response efforts by being a member of the incident response team and helping direct our response to cybersecurity incidents.