Annexon, Inc. - (ANNX)

10-K Filing Date: March 26, 2024
Item 1C. Cybersecurity

Risk management and strategy

We have implemented a risk-based approach designed to identify, assess and manage cybersecurity threats that could materially affect our business and information systems. We attempt to identify and assess risks from cybersecurity threats by evaluating our threat environment using various methods including, for example: maintaining manual and automated tools, subscribing to reports and services that identify cybersecurity threats, evaluating threats reported to us, and completing third-party cybersecurity threat assessments.

We use cybersecurity consultants and penetration testing firms in an effort to identify, assess, and manage material risks from cybersecurity threats. We use third-party service providers in various elements to our business operations such as data hosting providers. To help manage cybersecurity risks associated with our use of third-party service providers, we primarily engage with industry-preferred service providers, and we also contractually require service providers with access to personal, confidential, or proprietary information to maintain data security controls and practices.

For a description of the risks from cybersecurity threats that may materially affect the Company and how they may do so, see our risk factors under Part 1. Item 1A. Risk Factors in this Annual Report on Form 10-K, including “Cybersecurity risks and the failure to maintain the security, confidentiality, integrity, or availability of our information technology systems or data, and those maintained on our behalf, could lead to adverse consequences that materially adversely affect our business, including, without limitation, regulatory investigations or actions, a material interruption to our operations, including clinical trials, damage to our reputation and/or subject us to costs, loss of customers or sales, fines and penalties or lawsuits.

Governance

Our board of directors addresses the Company’s cybersecurity risk management as part of its general oversight function. The audit committee is responsible for advising on the Company’s cybersecurity risk management processes, including oversight of mitigation of risks from cybersecurity threats.

Our cybersecurity risk assessment and risk management processes are managed by certain Company management, including our CFO (who has prior experience in strategic business operations). Our CFO has supervisory responsibility over IT and cybersecurity functions. Our Company management is responsible for helping to integrate cybersecurity risk considerations into the Company’s overall risk management strategy, helping prepare for and respond to cybersecurity incidents, and reviewing security assessments and other security-related reports. Our incident response team is responsible for remediating cybersecurity incidents of which they are notified.

We maintain a cybersecurity policy, reviewed with our audit committee, which is designed to address cybersecurity risks to the Company (including by escalating certain cybersecurity incidents to members of

78


 

management and the board of the audit committee, in each case depending on the circumstances). We also maintain incident response procedures designed to assist the Company in responding to cybersecurity incidents.