Kezar Life Sciences, Inc. - (KZR)
10-K Filing Date: March 14, 2024
Risk management and strategy
We have implemented and maintain various information security processes designed to identify, assess and manage material risks from cybersecurity threats to our critical computer networks, third-party hosted services, communications systems, hardware and software, and critical data, including intellectual property, clinical trial data, and other confidential information that is proprietary, strategic or competitive in nature (“Information Systems and Data”).
The Company’s Chief Financial Officer (“CFO”), Information Technology (“IT”) manager, legal function and external information technology and cybersecurity service provider help to identify, assess and manage our cybersecurity threats and risks. They identify and assess risks from cybersecurity threats by monitoring and evaluating our threat environment and our and our industry’s risk profile using various methods, including, for example, automated tools, subscribing to reports and services that identify cybersecurity threats, analyzing reports of threats and actors, conducting scans of the threat environment, evaluating threats reported to us, conducting internal audits, and conducting internal and external threat and vulnerability assessments.
Depending on the environment, we implement and maintain various technical, physical, and organizational measures, processes, standards and policies designed to manage and mitigate material risks from cybersecurity threats to our Information Systems and Data, including, for example, an incident response plan, incident detection and response, a vulnerability management policy, business continuity plans, risk assessments, encryption of data, network security controls, access controls, asset management and disposal, physical security, systems monitoring, employee training, penetration testing, and cybersecurity insurance.
Our assessment and management of material risks from cybersecurity threats are integrated into the Company’s overall risk management processes. For example, our IT manager works with our management team to prioritize our risk management processes and mitigate cybersecurity threats that are more likely to lead to a material impact to our business. Additionally, our management team evaluates material risks from cybersecurity threats against our overall business objectives and regularly reports to the Audit Committee of our board of directors, which evaluates our overall enterprise risk.
We use third-party service providers to assist us from time to time to identify, assess, and manage material risks from cybersecurity threats, including, for example, managed cybersecurity providers, cybersecurity software providers, penetration testing firms, and professional services firms, including legal counsel.
We use third-party service providers to perform a variety of functions throughout our business, such as application providers, hosted services, CROs, and CMOs. Depending on the nature of the services provided, the sensitivity of the Information Systems and Data at issue, and the identity of the provider, we may involve different levels of assessment designed to help identify cybersecurity risks associated with a provider and impose contractual obligations related to cybersecurity on the provider.
58
For a description of the risks from cybersecurity threats that may materially affect the Company and how they may do so, see our risk factors under Part I. Item 1A titled “Risks Related to Our Business Operations, Employee Matters and Managing Growth.”
Governance
Our board of directors addresses the Company’s cybersecurity risk management as part of its general oversight function. The Audit Committee of our board of directors is responsible for overseeing Company’s cybersecurity risk management processes, including oversight and mitigation of risks from cybersecurity threats.
Our cybersecurity risk assessment and management processes are implemented and maintained by certain Company management, including our CFO and IT manager. Our CFO has overseen and been responsible for the Company's information technology and cybersecurity programs since 2018, and before that held equivalent responsibilities at another public company. Our IT manager has approximately seven years of experience with testing, implementing and maintaining our information technology systems and security.
Our CFO is responsible for hiring appropriate personnel, retaining third-party information technology service providers, helping to integrate cybersecurity risk considerations into the Company’s overall risk management strategy, communicating key priorities to relevant personnel and approving budgets. Our IT manager and our third-party information technology service provider are together responsible for helping prepare for cybersecurity incidents, approving cybersecurity processes, and reviewing security assessments and other security-related reports.
Our cybersecurity incident response plan is designed to escalate certain cybersecurity incidents to key members of management depending on the circumstances. Our CFO works with the Company’s IT manager and our third-party information technology service provider to help us mitigate and remediate cybersecurity incidents of which our CFO is notified. In addition, our incident response plan includes reporting to the Audit Committee of our board of directors for certain cybersecurity incidents.
The Audit Committee receives regular reports from our CFO concerning the Company’s significant cybersecurity threats and risks, and the processes the Company has implemented to address them. The board of directors also has access to reports, summaries and presentations related to the Company's cybersecurity threats, risk and mitigation.