XOMA Corp - (XOMA)

10-K Filing Date: March 08, 2024

Item 1C. CYBERSECURITY

Risk Management and Strategy

We evaluate our cybersecurity strategy annually, including our processes designed to assess, identify, and manage risks from potential unauthorized occurrences on or through our information technology systems that may result in adverse effects on the confidentiality, integrity, and availability of these systems and the data residing therein, within our overall enterprise risk management framework. Our cybersecurity strategy takes a multi-faceted approach, one which focuses on the following key areas: (i) the human element within the organization; (ii) perimeter security; (iii) network security; (iv) application security; (v) endpoint security; and (vi) data security. We use a wide array of processes, mechanisms, controls, technologies, systems, strategies and tools in each of these areas, including but not limited to: routine security awareness training, formal evaluations of third-party applications, password strength policies, antivirus software, firewalls, routine patch management, encryption software, data backups and data redundancies, email security software, multi-factor authentication tools, network security monitoring, and web vulnerability scanning.

We engage outside consultants on a regular basis to help us design internal controls and processes to address cybersecurity risks. We also leverage these outside consultants and other third parties, when appropriate, to implement appropriate processes, policies, and internal controls designed to help prevent, detect, and/or mitigate these cyberthreats.

54

In the last fiscal year, we have not identified risks from known cybersecurity threats, including as a result of any prior cybersecurity incidents, that have materially affected us, but we face certain ongoing cybersecurity threats that, if realized, are reasonably likely to materially affect us. These threats include but are not limited to: (i) ransomware and malware attacks; (ii) endpoint attacks; (iii) compromised business email and other social engineering threats; and (iv) vulnerabilities related to inadequate patch management. Our licensees, suppliers, contractors, and consultants also face similar cybersecurity risks, which could have an adverse impact on our business. Additional information on cybersecurity risks we face is discussed in Part I, Item 1A, “Risk Factors,” under the headings “If our information technology systems or data or those of our partners or contractors are compromised, our business could experience adverse consequences, including regulatory investigations or actions; litigation; fines and penalties; a disruption of our business operations; reputational harm; and loss of revenue or profits” and “Compliance with the stringent and changing obligations related to data privacy and security is an onerous and resource-intensive process. Our actual or perceived failure to comply with any data privacy or security obligations could lead to regulatory investigations or actions; litigation; fines and penalties; a disruption of our business operations; reputational harm; loss of revenue or profits; loss of customers or sales; and other adverse business consequences.”

Governance

Our management, led by our Chief Executive Officer and the Senior Vice President, Finance and Chief Financial Officer, is responsible for assessing cybersecurity risks and for confirming we have an appropriate cybersecurity strategy to assess and manage those risks, including responding to attacks or breaches. Our Chief Executive Officer and the Senior Vice President, Finance and Chief Financial Officer each have experience in senior leadership roles in which they have been responsible for the entity’s enterprise risk management, including management of cybersecurity risks. The Chief Executive Officer and the Senior Vice President, Finance and Chief Financial Officer meet regularly with the individuals charged with the day-to-day IT operations and infrastructure, and at least quarterly to review and assess potential cybersecurity threats to determine whether any changes need to be made to our cybersecurity strategy. The Chief Executive Officer and the Senior Vice President, Finance and Chief Financial Officer sponsor periodic cybersecurity awareness training for all employees.

We also maintain an Incident Response Plan that sets forth a protocol in the event we are exposed to a cyber-attack or breach. The Incident Response Plan provides a framework for our response, including the appropriate communication and escalation channels.

The Board, as a whole and at the committee level, has oversight for the most significant risks facing us and for our processes to identify, prioritize, assess, manage, and mitigate those risks. The Audit Committee of the Board, which is comprised solely of independent directors, has been designated by our Board to oversee cybersecurity risks. Management provides regular updates to the Audit Committee of the Board regarding risk assessments, developing threats, and the current and planned cybersecurity strategy, and promptly provides notification of significant attacks or breaches as part of the Incident Response Plan. The Board also receives updates from management and the Audit Committee on cybersecurity risks on at least an annual basis.