ALX ONCOLOGY HOLDINGS INC - (ALXO)
10-K Filing Date: March 07, 2024
Risk Management and Strategy
We have established policies and processes for assessing, identifying, and managing material risk from cybersecurity threats, and have integrated these processes into our overall risk management systems and processes. We periodically assess material risks from cybersecurity threats, including any potential unauthorized occurrence on or conducted through our information systems that may result in adverse effects on the confidentiality, integrity, or availability of our information systems or any information residing therein.
We conduct periodic risk assessments to identify cybersecurity threats, as well as assessments in the event of a material change in our business practices that may affect information systems that are vulnerable to such cybersecurity threats. These risk assessments include identification of reasonably foreseeable internal and external risks, the likelihood and potential damage that could result from such risks, and the sufficiency of existing policies, procedures, systems, and safeguards in place to manage such risks.
Following these risk assessments, we evaluate whether and how to re-design, implement, and maintain reasonable safeguards to minimize identified risks; reasonably address any identified gaps in existing safeguards; and regularly monitor the effectiveness of our safeguards. We devote significant resources and designate high-level personnel to manage our risk assessment and mitigation processes, including our Vice President of Operations (VPO), who serves as our acting Chief Information Security Officer (CISO), as well as external information technology consultants who help manage our information technology systems and our information security.
As part of our overall risk management system, we monitor and test our safeguards and train our employees on these safeguards, in collaboration with our information technology consultants. Employees at all levels and departments are made aware of our cybersecurity policies through trainings.
We engage our information technology consultants, including dedicated on-site consultants as well as other third parties, in connection with our risk assessment processes. These partners assist us to help design, implement, monitor, and test our cybersecurity policies and procedures. We also require key third-party service providers to certify that they have the ability to implement and maintain appropriate security measures, consistent with all applicable laws, to implement and maintain reasonable security measures in connection with their work with us, and to promptly report any suspected breach of its security measures that may affect our company.
For additional information regarding whether any risks from cybersecurity threats, including as a result of any previous cybersecurity incidents, have materially affected or are reasonably likely to materially affect our company, including our business strategy, results of operations, or financial condition, please refer to “Item 1A. Risk Factors” in this Annual Report on Form 10-K.
Governance
One of the key functions of our board of directors is informed oversight of our risk management process, including risks from cybersecurity threats. Our board of directors, which is responsible for monitoring and assessing strategic risk exposure, has delegated primary oversight responsibility for cybersecurity to our audit committee.
Our VPO and acting CISO, who reports to our President, is responsible for the day-to-day management of our cybersecurity policies and processes, including those described in “Risk Management and Strategy” above, with the assistance of and informed by our consultants. Our VPO and acting CISO, who has many years of senior management and operational oversight at emerging technology companies, is informed about and monitors the prevention, detection, mitigation, and remediation of cybersecurity incidents through the day-to-day management of our information technology consultants, which includes engaging with information provided by the consultants, automated monitoring and detection systems, and other tools and processes defined by our cybersecurity policies.
Our VPO and acting CISO provides periodic briefings to our executive officers regarding our company’s cybersecurity risks and activities, including any recent cybersecurity incidents and related responses, cybersecurity systems testing, activities of third parties, and the like. Our VPO and acting CISO also provides periodic briefings to the board of directors, including the audit committee, on cybersecurity risks and activities.
83