2seventy bio, Inc. - (TSVT)

10-K Filing Date: March 07, 2024
Item 1C. Cybersecurity
Risk Management and Strategy
We have established processes to assess risks from cybersecurity threats, monitor our information systems for potential vulnerabilities, and test those systems pursuant to our cybersecurity policies, processes, and practices, which are integrated into our overall risk management program. In an effort to protect our information systems from cybersecurity threats, we have implemented information security and incident response policies as well as operating procedures. We also use various security tools that are designed to help us identify risks from cybersecurity threats, and escalate, investigate, resolve, and recover from cybersecurity incidents in a timely manner. We have an informal risk oversight committee, which is comprised of representatives from our information technology and legal functions, in consultation with business operations, as needed. The committee assesses risks based on probability and potential impact to key business systems and processes. We have established a process for risks that are considered high, including risks from cybersecurity threats, to be incorporated into our overall risk management
83

 
program and tracked as part of our overall risk management program overseen by the Audit Committee of our board of directors.
We also collaborate with third parties to assess the effectiveness of our cybersecurity prevention and response systems and processes. These third parties include cybersecurity assessors, consultants, and other external cybersecurity experts to assist in the identification, verification, and validation of cybersecurity risks, as well as to support associated mitigation plans when necessary. We leverage these third parties to provide virtual chief information security officer and, if necessary, cybersecurity incident response services as well as to perform periodic penetration testing and other vulnerability scans. We also maintain processes designed to proactively manage potential supply chain risks posed by third-party vendors. As part of our cybersecurity risk management program, we work with certain third-party vendors to assess the their cybersecurity processes, including a process for requesting that vendors who have access to our systems and data complete cybersecurity questionnaires prior to onboarding.
We face a number of cybersecurity risks in connection with our business. While cybersecurity threats, including those resulting from any previous cybersecurity incidents, have not materially affected, and we do not believe they are reasonably likely to materially affect, our Company, including our business strategy, results of operations, or financial condition, to date, we have, like other companies in our industry, from time to time, experienced threats and cybersecurity incidents relating to our, and our third-party vendors’, data and information systems. Refer to the risk factor captioned "Our computer systems, or those of our third-party collaborators, service providers, contractors or consultants, may fail or suffer cybersecurity incidents, which could result in a material disruption of our product candidates’ development programs and have a material adverse effect on our reputation, business, financial condition or results of operations" in Part I, Item 1A. "Risk Factors" for additional description of cybersecurity risks and potential related impacts on our Company.
Governance
Our board of directors oversees our risk management process, including as it pertains to cybersecurity risks, directly and through its committees. The Audit Committee of the board oversees our risk management program, which focuses on the significant identified risks. Audit Committee meetings include discussions of specific risk areas throughout the year, including, among others, those relating to cybersecurity threats, as appropriate. The Audit Committee reviews our cybersecurity risk profile with management on a periodic basis, including reviewing assessments of our cybersecurity program and strategy for the prevention, detection, mitigation, and remediation of cybersecurity incidents.
We take a risk-based approach to cybersecurity and have implemented cybersecurity policies throughout our operations that are designed to address cybersecurity threats and incidents. The Company's VP of IT is responsible for the establishment and maintenance of our cybersecurity program, as well as the assessment and management of cybersecurity risks. The VP of IT meets periodically with the Company’s leadership team to discuss the status of the Company’s cybersecurity program and relevant updates, as appropriate. The current VP of IT and the Director of Operations, who is directly responsible for day-to-day cybersecurity program and security operations, have over 20 years of combined experience in information security. The VP of IT and the Director of Operations provide periodic updates on our cybersecurity risk profile to the Audit Committee of our board of directors.