Verastem, Inc. - (VSTM)
10-K Filing Date: March 14, 2024
Risk management and strategy.
In the ordinary course of our business, we and our third-party service providers, such as contract research organizations, contract manufacturing organizations, and managed service providers collect, maintain and transmit sensitive data on our networks and systems, including our intellectual property and proprietary or confidential business information (such as research and development data and personal information). The secure maintenance of this confidentiality, availability and integrity of this information is critical to our business and reputation. In addition, we are heavily dependent on the functioning of our information technology applications and services to carry out our business processes. While we have adopted administrative, technical and physical safeguards to protect such systems and data, our systems and those of third-party service providers may be vulnerable to a cyber-attack.
We have adopted processes designed to identify, assess and manage material risks from cybersecurity threats. Those processes include assessment of, and response to internal and external threats to the security, confidentiality, integrity and availability of our data and information systems, along with other material risks to our operations, at least annually or whenever there are material changes to our systems or operations.
Our risk management team collaborates with our Chief Information Officer (“CIO”), our internal information technology (“IT”) department, our Compliance team and our third-party IT managed service providers to evaluate and address cybersecurity risks in alignment with our business objectives and operational needs. We have processes to detect potential vulnerabilities and anomalies through technical safeguards and have adopted policies and procedures around internal and external notification of cybersecurity incidents. Our CIO and IT Department implement processes around security monitoring and vulnerability testing. We also have in place an incident response process for responding to and escalating cybersecurity events and incidents.
As part of our risk management process, we engage outside providers to conduct periodic internal and external penetration testing of our systems, networks and web properties. We also employ internal security testing solutions and security awareness training for all employees.
We engage a security operations platform provider to assist us in monitoring, assessing and managing potential cyber events. We also perform periodic cyber maturity assessments to measure our cybersecurity profile against industry peers and standards.
We rely on third parties, including software-as-a-service and platform-as-a-services cloud vendors, for various business functions. Our third-party services providers have access to our information systems and data, and we rely on such third parties for the continuous operation of our business. We oversee these third-party service providers by conducting vendor diligence during contracting and onboarding and through ongoing monitoring. Vendors are assessed for risk based on the nature of their service, access to data and systems, and the level to which those systems and data impact our business. Based on that assessment, we conduct diligence that may include completing security questionnaires, onsite audits, and other technical and data security evaluations.
Governance.
Our Board of Directors provides oversight of the Company’s cybersecurity risk management program and integrates this oversight into its overall evaluation of enterprise risk. Our Audit Committee has primary responsibility for oversight of cybersecurity and is briefed on cybersecurity risks at least once each year and following any material cybersecurity incidents.
74
At the management level, our cybersecurity program is managed by our CIO, reporting into the executive leadership team. Our CIO has over 30 years of experience managing IT operations and cybersecurity within the pharmaceutical, biotechnology and high-tech industries.
Our CIO reports at least annually to the Audit Committee and such reporting will include an overall assessment of our compliance with our cybersecurity policies and procedures as well as topics that may include risk assessments, risk management and control decisions, service provider arrangements, test results, security incidents and responses and recommendations for changes and updates to policies and procedures. In the event of a cybersecurity incident, the CIO reports the incident to the executive leadership team. If the cybersecurity incident is determined to be material the executive leadership team will report the incident to the Audit Committee or Board of Directors as appropriate.
As of the date of this report, we have not experienced a cybersecurity incident that resulted in a material effect on our business strategy, results of operations, or financial condition. Despite our continuing efforts, we cannot guarantee that our cybersecurity safeguards will prevent breaches or breakdowns of our or our third-party service providers’ information technology systems, particularly in the face of continually evolving cybersecurity threats and increasingly sophisticated threat actors. A cybersecurity incident may materially affect our business, results of operations or financial condition, including where such an incident results in reputational, competitive or business harm or damage to our brand, lost sales, reduced demand, loss of intellectual property rights, significant costs or government investigations, litigation, fines or damages.
For more information, see “Our business and operations may be materially adversely affected in the event of computer system breaches or failures” in Item 1A. Risk Factors in this Annual Report on Form 10-K.