LEXICON PHARMACEUTICALS, INC. - (LXRX)

10-K Filing Date: March 25, 2024
Item 1C. Cybersecurity
 
Cybersecurity represents an important component of our overall approach to enterprise risk management. Our cybersecurity policies, standards, processes and practices are fully integrated into our enterprise risk management program and are based on recognized frameworks established by the National Institute of Standards and Technology, the International Organization for Standardization and other applicable industry standards. In general, we seek to address cybersecurity risks through a comprehensive, cross-functional approach that is focused on preserving confidentiality, security and availability of the information that we collect and store by identifying, preventing and mitigating cybersecurity threats and effectively responding to cybersecurity threats when they occur.

Our cybersecurity program is focused on the following key areas:

Technical Safeguards. We deploy technical safeguards that are designed to protect our information systems from cybersecurity threats, including firewalls, intrusion prevention and detection systems, an endpoint protection platform system, anti-malware functionality, email filtering, url filtering and access controls, which are evaluated and improved through vulnerability assessments and cybersecurity threat intelligence.

Education and Awareness. We provide regular, mandatory training for personnel regarding cybersecurity threats, as well as periodic decoy and honeypot testing, as a means to equip our personnel with effective tools to address cybersecurity threats, and to communicate our evolving information security policies, standards, processes and practices.

Assessments of Third Party Service Providers. We regularly evaluate the cybersecurity policies, standards, processes and practices of our key third party service providers in order to effectively identify and address any vulnerabilities or other risks.

Incident Response and Recovery Planning. We have established and maintain comprehensive incident response and recovery plans that fully address our response to a cybersecurity incident, and such plans are tested and evaluated on a regular basis.

Collaborative Approach. We have implemented a comprehensive, cross-functional approach to identifying, preventing and mitigating cybersecurity threats and incidents, while also implementing controls and procedures that provide for the prompt escalation of certain cybersecurity incidents so that decisions regarding the public disclosure and reporting of such incidents can be made by management in a timely manner.

We engage in the periodic assessment and testing of our policies, standards, processes and practices that are designed to address cybersecurity threats and incidents. These efforts include a wide range of activities, including audits, assessments, tabletop exercises, threat modeling, vulnerability testing and other exercises focused on evaluating the effectiveness of our cybersecurity measures and planning. We regularly engage third parties to perform assessments on our cybersecurity measures, including information security maturity assessments, audits and independent reviews of our information security control environment and operating effectiveness. The results of such assessments, audits and reviews are reported to our executive management and board of directors, and we adjust our cybersecurity policies, standards, processes and practices as necessary based on the information provided by these assessments, audits and reviews.

Our executive management and board of directors oversee our enterprise risk management process, including the management of risks arising from cybersecurity threats. Our executive management and board of directors each receive regular presentations and reports on cybersecurity risks, which address a wide range of topics including recent developments, evolving standards, vulnerability assessments, third party and independent reviews, the threat environment, technological trends and information security considerations arising with respect to our peers and third parties. Our executive management and board of directors also receive prompt and timely information regarding any cybersecurity incident that meets established reporting thresholds, as well as ongoing updates regarding any such incident until it has been addressed.

35


Our vice president, information operations works collaboratively across our company to implement a program designed to protect our information systems from cybersecurity threats and to promptly respond to any cybersecurity threats in accordance with our incident response and recovery plans. To facilitate the success of our cybersecurity risk management program, multidisciplinary teams are deployed to address cybersecurity threats and respond to cybersecurity incidents. Through ongoing communications with these teams, our vice president, information operations monitors the prevention, detection, mitigation and remediation of cybersecurity threats and incidents in real time, and report such threats and incidents to executive management when appropriate. Our vice president, information systems has served in such role since October 2021 and in various roles in information security and information technology for over 25 years.

Cybersecurity threats, including as a result of any previous cybersecurity incidents, have not materially affected our company to date, including our business strategy, results of operation or financial condition. For a description of the risks from cybersecurity threats that may materially affect us and how they may do so, see our risk factors under Part 1. Item 1A. Risk Factors in this Annual Report on Form 10-K, including “Data breaches and cyber-attacks could compromise our intellectual property or other sensitive information and cause significant damage to our business, reputational harm and financial loss.”