ANAPTYSBIO, INC - (ANAB)

10-K Filing Date: March 11, 2024
Item 1C. Cybersecurity
We recognize the critical importance of maintaining the trust and confidence of all of our stakeholders. Our business depends on the efficient and uninterrupted operation of our information technology systems and those of our third-party CROs, CMOs, or other vendors, contractors or consultants.
Risk Management and Strategy
The Company’s cybersecurity program is focused on the following key areas:
Governance: The Board’s oversight of cybersecurity risk management is supported by the Audit Committee of the Board (the “Audit Committee”), which regularly interacts with our Head of IT and our executive management team.
Collaborative Approach: We have implemented a cross-functional approach to identifying, preventing, and mitigating cybersecurity threats and incidents, while also implementing controls and procedures that provide for the prompt escalation of certain cybersecurity incidents so that decisions regarding the public disclosure and reporting of such incidents can be made by management in a timely manner.
Technical Safeguards: We deploy technical safeguards that are designed to protect our information systems from cybersecurity threats, including firewalls, intrusion prevention and detection systems, anti-malware functionality and access controls, which are evaluated and improved through vulnerability assessments and cybersecurity threat intelligence.
Incident Response and Recovery Planning: We have established and maintain incident response and recovery plans to address our response to a cybersecurity incident.
Third-Party Risk Management: We strive to proactively manage third-party risks to minimize any adverse effects on our business that may arise due to a cybersecurity incident affecting third-party systems and vendors. While we rely on third-party vendors to manage and maintain their own cybersecurity defense programs, we are developing a vendor risk management program to assess our exposure to these external cybersecurity risks.
Education and Awareness: We provide mandatory training and resources for personnel regarding cybersecurity threats as a means to equip our employees with effective tools to address cybersecurity threats, and to communicate our evolving information security policies, standards, processes and practices.
We engage in the periodic assessment and testing of our cybersecurity program. These efforts include a wide range of activities, including audits, assessments, vulnerability testing and other exercises focused on evaluating the effectiveness of our cybersecurity measures and planning. These activities may be performed by external cybersecurity and application security professionals.
Governance
The Board, in coordination with the Audit Committee, oversees our risk management process. The Board and the Audit Committee also receive prompt and timely information regarding any cybersecurity incident that meets established reporting thresholds, as well as ongoing updates regarding any such incident until it has been addressed. On an annual basis, the Audit Committee discuss our approach to cybersecurity risk management with the Head of IT.
Our Head of IT, in coordination with our executive management team, works collaboratively across the company to implement a program designed to protect our information systems from cybersecurity threats and to promptly respond to any cybersecurity incidents in accordance with our incident response and recovery plans. Through ongoing communications with our entire employee base and appropriate third-party contractors, the Head of IT and the executive management team monitor the prevention, detection, mitigation and remediation of cybersecurity threats and incidents in real time and report such threats and incidents to the Audit Committee when appropriate.
Our Head of IT has over 20 years of IT experience in the pharmaceutical industry and oversees the cybersecurity program at AnaptysBio. He has experience developing and leading cybersecurity programs for pharmaceutical companies, including experience in evaluating and implementing tools and technologies that enable defense and response capabilities and developing critical cybersecurity procedures and training and awareness programs.
Although we are subject to ongoing and evolving cybersecurity threats, we are not aware of any material cybersecurity threats, that have materially affected or are reasonably likely to affect us, including our business strategy, results of operations or financial condition. For more information on our cybersecurity risks, see Item 1A “Risk Factors.”

50