Olema Pharmaceuticals, Inc. - (OLMA)
10-K Filing Date: March 11, 2024
Risk management and strategy
We have established and maintain various information security processes designed to identify, assess, and manage cybersecurity risks to our critical computer networks, third-party hosted services, communication systems, hardware, software, and vital data, such as intellectual property, confidential proprietary information, strategic assets, and nonclinical/clinical trial data (“Information Systems and Data”). Our Chief Operating and Financial Officer, Vice President of Information Technology, cybersecurity business partner and IT & Legal teams collaborate to address cybersecurity threats and risks, leveraging our risk register when needed. Our VP of Information Technology, members of our in-house IT team, and our third-party cybersecurity business partner all play an active role in monitoring and assessing risks from cyber threats through a variety of methods including automated tools, third-party testing, tabletop incident response exercises, threat actor analysis, industry risk profiling, and collaboration with law enforcement.
We employ a range of measures, processes, standards, and policies tailored to specific environments designed to manage and mitigate material risks from cybersecurity threats to our Information Systems and Data. These include data encryption, network security controls, secure physical facilities, employee training, access management, change management and comprehensive asset management, tracking, and disposal procedures.
Our assessment and management of material risks from cybersecurity threats are integrated into the Company’s overall risk management processes. For example, the security team, which includes our VP of Information Technology and third-party service providers, works with management to prioritize our risk management processes and take steps to mitigate cybersecurity threats that are determined to be more likely to lead to a material impact to our business. Key findings and status of the cybersecurity landscape are reviewed with the Audit Committee of our Board of Directors, or Audit Committee, which evaluates our overall enterprise risk.
We engage various categories of third-party service providers to augment our efforts in monitoring, identifying, assessing, and mitigating significant cybersecurity risks. These third-party service providers encompass a range of expertise, including professional services firms such as legal counsel, cybersecurity consultants with specialized knowledge, providers of cybersecurity software solutions, managed cybersecurity service providers offering ongoing monitoring, protection and support, external testing firms specializing items like penetration testing to evaluate vulnerabilities, and forensic investigators who are enlisted as necessary to conduct comprehensive investigations and assessments when specific incidents or breaches occur.
106
We enlist third-party service providers across our business functions, including application providers, hosting companies, contract manufacturers, and supply chain resources. Depending on the service type, data sensitivity, and provider identity, our vendor management process assesses cybersecurity risks and establishes corresponding contractual cybersecurity obligations, tailored to each provider's role and the nature of Information Systems and Data involved.
For a description of the risks from cybersecurity threats that may materially affect the Company and how they may do so, see our risk factors under "Part 1. Item 1A. Risk Factors" in this Annual Report on Form 10-K, including under the section titled "—Risks related to employee matters, managing our growth and other risks related to our business."
Governance
Our Board of Directors retains responsibility for evaluating key business risks faced by the Company, including but not limited to information security. In part, our Board of Directors addresses its general oversight function by delegating the Company's cybersecurity risk management to the Audit Committee. The Audit Committee's responsibilities include supervising risk mitigation efforts related to cybersecurity threats, evaluating the sufficiency and effectiveness of information security policies and practices, and ensuring robust internal controls for information security.
Our cybersecurity risk assessment and management processes are implemented and maintained by certain members of Company management, including our Vice President of Information Technology who has over 15 years of extensive experience managing cybersecurity programs, who reports into our Chief Operating and Financial Officer. The Vice President of Information Technology is responsible for hiring appropriate personnel, helping to integrate cybersecurity risk considerations into the Company's overall risk management strategy, and communicating key priorities to relevant personnel. The Chief Operating and Financial Officer is responsible for approving budgets, aiding in the preparation for cybersecurity incidents, approving cybersecurity processes, and reviewing security assessments and other security-related reports.
Our cybersecurity incident response procedures involve escalating specific incidents to certain members of management as needed, including the Vice President of Information Technology, Chief Operating and Financial Officer and the Chief Executive Officer. The Chief Operating and Financial Officer collaborates with our incident response team, which includes members of our in-house IT, facilities, human resources, regulatory, legal, and communications teams, to address and resolve reported cybersecurity incidents. Olema’s incident response procedures mandate reporting certain types of cybersecurity incidents to the Audit Committee and other agencies as required by law.
The Audit Committee periodically receives reports from the Vice President of Information Technology on the Company's significant cybersecurity threats, risks, and mitigation processes. The Audit Committee also receives various summaries, presentations, and reports pertaining to cybersecurity threats, risks, and mitigation.