aTYR PHARMA INC - (LIFE)
10-K Filing Date: March 14, 2024
Risk management and strategy
We have implemented and maintain various information security processes designed to identify, assess and manage material risks from cybersecurity threats to our critical computer networks, third party hosted services, communications systems, hardware and software, and our critical data, including intellectual property, data associated with our clinical trials or manufacturing campaigns, and other confidential information that is proprietary, strategic or competitive in nature. We perform periodic assessments of our information security processes, and the results of these assessments are reported to the audit committee of the board of directors (Audit Committee) as part of a cybersecurity update report conducted at least annually.
We also engage vendors from time to time to assist with enterprise managed detection and response, security information and event management, and enterprise vulnerability management. These vendors also assist us from time to time in identifying, assessing and managing material risks from cybersecurity threats. The vendors include threat intelligence service providers, cybersecurity software providers and managed cybersecurity service providers.
We have adopted an Incident Response Management Procedure (Procedure) designed to help us respond to cybersecurity incidents and mitigate our risks and impacts. An incident response team is responsible for carrying out the Procedure and is led by our Information & Technology (IT) department, and includes members from our legal and compliance, finance, and human resource departments (Security Management Team). We also manage and maintain business continuity and disaster recovery capabilities to help ensure the availability of business-critical technology resources during adverse conditions.
59
Our assessment and management of material risks from cybersecurity threats are integrated into our overall risk management process. In addition, we have implemented a cybersecurity third party risk management process designed to assess the cybersecurity practices and monitor certain critical third parties, and to assist the business in making risk-informed technology services decisions. Our practice is to perform due diligence on certain third parties who maintain Sensitive Information, including CROs that manage and administer our clinical trials, and our CDMOs that manufacture our drug product to be used in clinical trials. Additionally, we monitor these third parties through frequent program management meetings as well as joint steering committee meetings in certain cases.
For a description of the risks from cybersecurity threats that may materially affect us and how those threats may do so, see our risk factors under Part 1. Item 1A. “Risk Factors - If our information technology systems or data, or those maintained on our behalf, are or were compromised, this could result in a Material Adverse Impact.”
Governance
Our board of directors addresses our cybersecurity risk management as part of its general oversight function. The Audit Committee is responsible for reviewing, assessing and considering the overall risk management policies and procedures, including our cybersecurity risk management processes, and oversight of mitigation of risks from cybersecurity threats.
Our Security Management Team is responsible for day-to-day management of cybersecurity risk, including hiring appropriate personnel, helping to integrate cybersecurity risk considerations into our overall risk management strategy, communicating key priorities to relevant personnel, approving budgets, helping prepare for cybersecurity incidents, approving cybersecurity processes, and reviewing security assessments and other security-related reports. Our cybersecurity risk assessment and management processes are implemented and maintained by the Security Management Team. Our Security Management Team includes our CFO who has more than 15 years of experience in managing IT departments, and certain members of our IT department who have over 25 years of experience in cybersecurity, information security, data protection, privacy, regulatory compliance and risk management.
Our cybersecurity incident response and vulnerability management policies are designed to escalate certain cybersecurity incidents to members of management depending on the circumstances, including our CFO, CEO and other members of our executive leadership team (ELT). Our CFO, CEO and ELT work with our Security Management Team to help us mitigate and remediate cybersecurity incidents of which they are notified. In addition, our incident response and vulnerability management policies include reporting to the Audit Committee for certain cybersecurity incidents.
The Audit Committee receives annual reports from the Security Management Team concerning our significant cybersecurity threats and risk and the processes we have implemented to address them. The Audit Committee also receives various reports, summaries or presentations related to cybersecurity threats, risk and mitigation.