Arbutus Biopharma Corp - (ABUS)

10-K Filing Date: March 05, 2024
Item 1C. Cybersecurity

We are increasingly dependent on sophisticated software applications and computing infrastructure to conduct key operations. We depend on both our own systems, networks, and technology as well as the systems, networks and technology of our contractors, consultants, vendors and other business partners.

Cybersecurity Program

Given the importance of cybersecurity to our business, we maintain a robust and comprehensive cybersecurity program to support both the effectiveness of our systems and our preparedness for information security risks. This program includes a number of administrative, physical and technical safeguards, with regular evaluations of our cybersecurity posture, including internal and external audits, as well as annual penetration tests. We also require cybersecurity training when onboarding new employees and contractors and on an annual basis thereafter. Our cybersecurity program leverages industry frameworks, including the National Institute of Standards and Technology (NIST) Cybersecurity Risk Assessment Framework to strengthen our program effectiveness and reduce cybersecurity risks.

We use a risk-based approach with respect to our oversight of third-party service providers. As part of our new vendor onboarding process, we assess all new third-party service providers for technical capabilities, reputation, financial stability, pricing, and other criteria and all new third-party service providers are reviewed and approved by our Finance and Legal departments. Foreign vendors are evaluated separately for compliance with the Foreign Corrupt Practices Act. Our contracts with third-party service provides include appropriate data security and privacy terms. For certain key third-party service providers, we obtain a SOC type 2 audit report from the vendor’s audit firm which provides detailed information and assurance about a service organization’s security, availability, processing integrity, confidentiality and privacy controls, in accordance with Statement on Standards for Attestation Engagements No. 18.

Process for Assessing, Identifying and Managing Material Risks from Cybersecurity Threats

In the event of a cybersecurity incident, we maintain a regularly tested Incident Management and Response program as well as business continuity and disaster recovery plans. Pursuant to the program and its escalation protocols, designated personnel are responsible for assessing the severity of an incident and associated threat and handling it in accordance with that severity level.

We have relationships with a number of third-party service providers to assist with cybersecurity evaluation, containment and remediation efforts.

Governance

Management Oversight

The controls and processes employed to assess, identify and manage material risks from cybersecurity threats are implemented and overseen by our Executive Director of IT and Information Security (ED, IT & IS), who reports to our Chief Financial Officer. Our ED, IT & IS has over 30 years of IT experience and an Advanced Graduate Certification in Cybersecurity. He is responsible for the day-to-day management of the cybersecurity program, including the prevention, detection, investigation, response to, and recovery from cybersecurity threats and incidents, and is regularly engaged to help ensure the cybersecurity program functions effectively in the face of evolving cybersecurity threats. He provides regular briefings (quarterly at a minimum) to our Computer Security Incident Response Team consisting of the Chief Financial Officer and General Counsel/Chief Compliance Officer on cybersecurity matters, including threats, events, and program enhancements.

56


Board Oversight

While the Board of Directors has overall responsibility for risk oversight, our Audit Committee oversees cybersecurity risk matters. The Audit Committee is responsible for reviewing, discussing with management, and overseeing our data privacy, information technology and security and cybersecurity risk exposures. On at least an annual basis, the ED, IT & IS reports to the Audit Committee on information security and cybersecurity matters, including significant information technology risks, material threats (and the potential impact of those exposures on our business, financial results, operations and reputation) and the steps implemented by management to monitor and mitigate exposures. He also apprises the Audit Committee promptly of any high priority cybersecurity incidents, consistent with our Incident Management and Response Policy, and provides updates to the full Board as needed.

Cybersecurity Risks

Management assesses the top organizational risks for the Company on an annual basis. Our cybersecurity risk is a component of our overall organizational risk assessment. Management also performs a specific cybersecurity risk assessment based on the NIST cybersecurity risk framework. As part of our cybersecurity risk assessment, department leaders identify, assess and evaluate risks impacting our operations across the Company, including those risks related to cybersecurity. Department leaders are asked to consider the severity and likelihood of certain risk factors, drawing upon their company knowledge and past business experience. Our cybersecurity risk assessment helps to inform our risk mitigation strategies. While we maintain a robust cybersecurity program, the techniques used to infiltrate information technology systems continue to evolve. Accordingly, we may not be able to timely detect threats or anticipate and implement adequate security measures. For additional information, see “Item 1A—Risk Factors.”

We also maintain cybersecurity insurance providing coverage for certain costs related to cybersecurity-related incidents that impact our own systems, networks, and technology or the systems, networks and technology of our contractors, consultants, vendors and other business partners.

In the last three years, we did not experience any material cybersecurity incidents or threats.