Allogene Therapeutics, Inc. - (ALLO)

10-K Filing Date: March 14, 2024
Item 1C. Cybersecurity.
Risk management and strategy
We take a risk-based approach in implementing and maintaining various information security processes designed to identify, assess and manage material risks from cybersecurity threats to our critical computer networks, third party hosted services, communications systems, hardware and software, and our critical data, including intellectual property, confidential information that is proprietary, strategic or competitive in nature, and information related to our clinical trials, products in development, and proprietary technologies (“Information Systems and Data”).
Our information security function, supported by members of our IT and Legal departments and our third-party IT service providers, helps identify, assess and manage the Company’s cybersecurity threats and risks. This team helps to identify and assess risks from cybersecurity threats by monitoring and evaluating our threat environment using various methods including, for example: automated tools, subscribing to reports and services that identify cybersecurity threats and analyzing such reports of threats and actors, conducting scans of our threat environment, evaluating threats reported to us, coordinating with law enforcement as appropriate about certain threats, having third parties conduct threat assessments, conducting vulnerability assessments, and working with third parties to conduct certain tests of our environment.
Depending on the environment and systems, we implement and maintain various technical, physical, and organizational measures, processes, standards and policies designed to manage and mitigate material risks from cybersecurity threats to our Information Systems and Data, including, for example: incident detection and response procedures; an incident response policy; a vulnerability management policy; a disaster recovery plan; conducting risk assessments; encrypting certain of our data; maintaining network security controls, segmenting certain data; maintaining access and physical security controls; asset management, tracking, and disposal protocols; systems monitoring; a assessing vendor risk; employee training; penetration testing conducted by third parties; and maintaining cybersecurity insurance.
The cybersecurity risk management and mitigation measures we implement for certain of our Information Assets including for example (1) cybersecurity risk is addressed as a component of the Company’s enterprise risk management assessment processes; (2) the information security function works with senior management to prioritize our risk management processes and mitigate cybersecurity threats that are more likely to lead to a material impact to our business; (3) our senior management evaluates material risks from cybersecurity threats against our overall business objectives and reports to the audit committee of the board of directors, which evaluates our overall enterprise risk, (4) policies and procedures to manage how Information Systems and Data are collected, maintained and stored, (5) communicating with and training personnel on cybersecurity risks and trends.
We use third-party service providers to assist us from time to time to identify, assess, and manage material risks from cybersecurity threats, including for example: professional services firms, cybersecurity consultants, cybersecurity software providers, managed cybersecurity service providers, and penetration testing firms.
79


We use third-party service providers to perform a variety of functions throughout our business, such as application providers, contract research organizations (CROs), contract development and manufacturing organizations (CDMOs) and supply chain resources. We assess vendors using a risk-based approach to manage cybersecurity risks associated with our use of certain of these providers. Through these practices, we may conduct risk assessments of vendors, provide and review security questionnaires, review vendors’ written information security programs and security assessments, and impose contractual obligations related to information security on our vendors. Depending on the nature of the services provided, the sensitivity of the Information Systems and Data at issue, and the identity of the provider, our vendor management process may involve different levels of assessment designed to help identify cybersecurity risks associated with a provider and impose contractual obligations related to cybersecurity on the provider.

For a description of the risks from cybersecurity threats that may materially affect the Company and how they may do so, see our risk factors under Part I. Item 1A. Risk Factors in this Annual Report on Form 10-K, including “If our security measures, or those of our CROs, CDMOs, collaborators, contractors, consultants or other third parties upon whom we rely, are or were compromised or the security, confidentiality, integrity or availability of our information technology, software, services, networks, communications or data is compromised, limited or fails, we could experience a material adverse impact.
Governance
Our board of directors addresses the Company’s cybersecurity risk management as part of its general oversight function. The board of directors’ audit committee is responsible for overseeing Company’s cybersecurity risk management processes, including oversight and mitigation of risks from cybersecurity threats. Members of the Audit Committee receive scheduled updates from senior management.
Our cybersecurity risk assessment and management processes are implemented and maintained by certain Company management, including our Director of IT Security and Executive Director/Head of IT. Our Director of IT Security has over 13 years of experience leading IT security and has certifications including CISSP and CCSP. Our Executive Director IT Data Management, Analytics and Integration has over 20 years of experience in IT, data engineering, and data analytics.
Our Director of IT Security is responsible for hiring appropriate personnel, helping to integrate cybersecurity risk considerations into the Company’s overall IT risk management strategy, communicating key priorities to relevant personnel, overseeing cybersecurity operations, and managing the cybersecurity technologies, processes, and projects. Our Executive Director of IT Data Management, Analytics and Integration is responsible for approving budgets, helping prepare for cybersecurity incidents, approving cybersecurity processes, and conducting regular reviews of security assessments and other security-related reports.
Our cybersecurity incident response and vulnerability management policies are designed to escalate certain cybersecurity incidents to members of management depending on the circumstances, including Director of IT Security, Data Management, Analytics and Integration, and General Counsel. Director of IT Security, Data Management, Analytics and Integration, and General Counsel work with the Company’s cross functional incident response team to help the Company mitigate and remediate cybersecurity incidents of which they are notified. In addition, the Company’s incident response and vulnerability management policies and procedures include reporting to the audit committee of the board of directors for certain cybersecurity incidents.
The audit committee receives periodic reports from Data Management, Analytics and Integration and General Counsel concerning the Company’s significant cybersecurity threats and risk and the processes the Company has implemented to address them. The audit committee also receives various reports, summaries or presentations related to cybersecurity threats, risk and mitigation.