ALPINE IMMUNE SCIENCES, INC. - (ALPN)
10-K Filing Date: March 19, 2024
Item 1C. Cybersecurity.
Cybersecurity Risk Management Strategy
We have developed and implemented processes and policies for identifying, assessing, and managing material risks from cybersecurity threats. We have established a cybersecurity risk management program intended to protect the confidentiality, integrity, and availability of our critical systems and information. Our cybersecurity risk management strategy is informed by the National Institute of Standards and Technology, or NIST, Cybersecurity Framework, or CSF, and the NIST Risk Management Framework. Our cybersecurity processes have been integrated into our overall business risk management process.
Both internally and through third-party experts, we routinely assess our information technology, or IT, environment with reference to the NIST CSF. We also assess risks related to third-party vendors, suppliers and contractors. Our risk assessments include identifying reasonably foreseeable potential internal and external risks, the likelihood of occurrence and any potential damage that could result from such risks, and the sufficiency of existing policies, procedures, systems, controls, and other safeguards in place to manage such risks. Following these risk assessments, we evaluate whether and how to design, implement, and maintain reasonable safeguards to minimize the identified risks; reasonably address any identified gaps in existing safeguards; update existing safeguards as necessary; and monitor the effectiveness of our safeguards. We provide regular training to our employees regarding cybersecurity threats and best practices, and we have established policies for the responsible use of our IT and information resources. We also maintain a cyber insurance policy to mitigate and cover cybersecurity risks.
As of the date of this report, we have not experienced cybersecurity incidents or are aware of any risks from cybersecurity threats that have materially affected or are reasonably likely to materially affect us, including our business
91
strategy, results of operations, or financial condition. For additional information about our cybersecurity risks, please see the section of this report titled “Risk Factors.”
Cybersecurity Governance
Our board of directors administers its cybersecurity risk oversight function directly through the audit committee. Through its regular meetings with management, including the finance, legal, and risk management functions, the audit committee reviews and discusses all significant areas of our business, including cybersecurity risks, and summarizes for the board of directors all areas of risk and the appropriate mitigating factors. The audit committee is responsible for the oversight of cybersecurity risk monitoring and assessment, and the officers and information technology personnel who oversee monitoring and assessing strategic risk exposure and the day-to-day management of material risks.
The Information Technology Risk Management Committee, or ITRMC, was established to assist in identifying, assessing, and managing risks across various domains to protect our interests, assets, reputation, and enhance its resilience. The ITRMC consists of members with diverse backgrounds, expertise, and experience relevant to risk management, including the CFO and Head of IT. The ITRMC is informed about our cybersecurity risks, including risks from cybersecurity incidents, through information obtained directly from and through working with our internal security team and outside experts. The ITRMC provides oversight, guidance, and recommendations on risk management strategies, policies, procedures, and practices to the executive management team and the audit committee. The ITRMC, as needed with assistance from external experts, provides regular reports to executive management and the audit committee, covering items such as risk management activities, significant risk exposures, mitigation efforts, and audits.