PTC THERAPEUTICS, INC. - (PTCT)

10-K Filing Date: February 29, 2024
Item 1C. Cybersecurity

Cybersecurity Risk Management and Strategy

As is the case for most companies, we are regularly subject to cyber-attacks and other cyber incidents and, therefore, cybersecurity is an important element of our overall enterprise risk management program. As part of our ordinary course of business, we collect, store and transmit large amounts of confidential information, including personal information, operational and financial transactions and records, clinical trial data and information relating to intellectual property, on internal information systems and through the information systems of collaborators and third-party vendors with whom we contract. We have a multilayered approach for assessing, identifying and managing cybersecurity risks, that is designed to help protect such information from internal and external cyber threats by understanding and seeking to mitigate risk while ensuring business resiliency. Our cybersecurity prevention methods include implementing the National Institute of Standards and Technology cybersecurity framework, instituting a training and compliance program on cybersecurity for all employees, completing a yearly external audit and penetration test, conducting vulnerability scans and remediations and monitoring threat intelligence feeds. As part of our overall risk management strategy, we also maintain cyber insurance coverage; however, such insurance may not be sufficient in type or amount to cover us against claims related to security breaches, cyber-attacks and other related breaches. We also conduct security assessments of all third-party providers before engagement and maintain ongoing monitoring to ensure compliance with our cybersecurity standards. This process involves third-party providers responding to cybersecurity questionnaires and information technology, or IT, security team meetings to review and assess the third-party providers security posture to confirm that the provider is ensuring the security, integrity, and availability of processed data.

We have also established a global incident response management standard operating procedure, or GIRM. Our GIRM provides step-by-step instructions for managing any global incident which is disruptive of or interferes with the delivery and operation of our IT services and systems that are in use. Specifically, the GIRM provides direction as to how information with respect to a cybersecurity incident is communicated internally, including with our executive committee leadership team. As regulatory disclosure requirements regarding cybersecurity incidents and data privacy matters have become more prevalent, we have developed an incident workflow designed to monitor and evaluate if such disclosure requirements are triggered by an incident through the inclusion of members of our legal, data privacy and executive teams in the incident response process.

We engage third parties, including independent privacy assessors, computer security firms and risk management and governance experts to enhance our cybersecurity oversight. For example, on an annual basis we run a penetration test of

111

our systems, performed by a different external third party each year. We also regularly consult with these third parties on emerging industry trends.

We do not believe that there are currently any known risks from cybersecurity threats that are reasonably likely to materially affect the company or its business strategy, results of operations or financial conditions.

Cybersecurity Governance and Oversight

Our Board of Directors administers its cybersecurity risk oversight function primarily through the Audit Committee of the Board of Directors. In accordance with our Audit Committee Charter, our Chief Information Officer, or CIO, provides periodic updates to our Audit Committee regarding the Company’s cybersecurity and other technology risks, internal controls and procedures, including the Company’s plan to mitigate cybersecurity risk and respond to data breaches. The Audit Committee is also responsible for reviewing any related periodic public filing disclosures. The Board of Directors receives regular reports from the Audit Committee. Our CIO also presents directly to our Board of Directors on an annual basis on these matters. Our IT team is responsible for maintaining daily operations and ensuring the confidentiality, integrity and availability of data. Our CIO oversees a cybersecurity team that has over 15 years’ experience in cybersecurity along with advanced and undergrad degrees in cybersecurity, and industry recognized security certifications such as CISSP (Certified Information Systems Security Professional) and CISM (Certified Information Security Manager). Our CIO reports directly to our Chief Legal Officer, who is a member of our executive committee leadership team. Cybersecurity incident status updates are provided as necessary to the executive committee as set forth in our GIRM. In the event of a cybersecurity incident, our IT team is trained to follow our GIRM.

In an effort to deter and detect cyber threats, we periodically provide all employees, including part-time and temporary employees, with data protection, cybersecurity and incident response and prevention training as part of our overall IT compliance program, which covers timely and relevant topics, including social engineering, phishing, password protection, confidential data protection, asset use and mobile security, and educates employees on the importance of reporting all incidents immediately. We also use technology-based tools to mitigate cybersecurity risks and to bolster our employee-based cybersecurity programs.

For more information regarding the risks associated our cybersecurity program, see Item 1A. Risk Factors, “Our business and operations would suffer in the event of computer system failures, cyber-attacks or a deficiency in our, or our collaborators’ or third-party vendors’, cyber-security.”