Absci Corp - (ABSI)
10-K Filing Date: March 21, 2024
Item 1C. Cybersecurity
Risk Management and Strategy
We have established a cybersecurity program, which includes maintaining policies and processes for assessing, identifying, and managing risks from cybersecurity threats, and have integrated these policies and processes into our overall risk management strategy. Our cybersecurity program is informed by standards established by the National Institute of Standards and Technology (NIST) and the Center for Internet Security (CIS).
We maintain processes for conducting internal and external cybersecurity risk assessments to identify cybersecurity threats that may adversely impact the confidentiality, integrity, or availability of our information systems or data residing therein. We generally conduct internal cybersecurity risk assessments and audits on at least a quarterly basis, which may include penetration testing and vulnerability assessments. We also regularly conduct cybersecurity simulation exercises, including in connection with our disaster recovery procedures. Additionally, we engage third-party service providers to support these efforts, including to conduct security testing on an annual basis.
We also engage assessors, consultants, auditors, or other third parties in connection with our risk assessment processes to assist us in our design and implementation of our cybersecurity policies and procedures and in our assessment and testing of our security safeguards. This includes a third-party managed detection and response team (MDR) to conduct ongoing network monitoring and to support incident management and threat assessment. Additionally, as a public company, we are subject to regulatory requirements and undergo audits of our financial statements, which include a review of related cybersecurity controls and information technology systems.
We maintain a cybersecurity awareness training program for employees, which is provided during onboarding and on an annual basis thereafter. Our training program includes simulated phishing campaigns, which are designed to increase awareness and detection and to equip our personnel with effective tools to identify and address cybersecurity threats.
Although risks from cybersecurity threats have not materially affected, and are not reasonably likely to materially affect our company, including our business strategy, results of operations, or financial condition, to date, we have, from time to time, experienced threats to and security incidents related to our and our third-party vendors’ information systems. For more information about the cybersecurity risks we face, please refer to Item 1A, “Risk Factors,” in this annual report on Form 10-K, including the risk factors entitled “Security breaches, loss of data and other disruptions could compromise sensitive information related to our business or prevent us from accessing critical information and expose us to liability, which could adversely affect our business and our reputation.”
Governance
One of the key functions of our board of directors is informed oversight of our risk management process, including risks from cybersecurity threats. Our board of directors administers its cybersecurity risk oversight function directly as a whole, as well as through our audit committee.
Our Director of Information Technology is responsible for monitoring and assessing the the day-to-day management of cybersecurity risks. The individual who currently holds the position of Director of Information Technology has approximately fifteen years of IT management and cybersecurity experience. Our IT Committee, which is comprised of senior leadership team members across our Information Technology, Finance, Law and Innovation departments, is responsible for overseeing our cybersecurity policies and processes. Our IT Committee meets regularly with our Director of Information Technology to evaluate cybersecurity threats. We maintain an established process to notify the IT committee of identified cyber incidents and to provide an assessment of the potential criticality and impact of such incidents. We have also implemented procedures for response and containment efforts to address the actual or potential impact of identified cybersecurity incidents, as applicable.
Representatives from our IT Committee provide briefings regarding cyber matters to our audit committee on a quarterly basis, and directly to the full board of directors on an annual basis. Such briefings may include a
76
discussion of cyber risks and applicable risk assessments, key updates regarding our cyber strategy and related initiatives, and the emerging cybersecurity threats that may impact our business.