Xenon Pharmaceuticals Inc. - (XENE)
10-K Filing Date: February 29, 2024
We rely on both internal information technology systems and networks, and those of third-party vendors and contractors, to acquire, transmit, store and otherwise process information in connection with our business activities. Our ability to effectively manage our business depends on the security, reliability and adequacy of our and our third-party contractors’ and vendors’ technology systems. As such, we have implemented an information security program designed to assess, identify, and manage risks from cybersecurity threats.
We perform risk assessments relating to cybersecurity and technology risks at least annually. Our cybersecurity risk management program has been developed based on industry standards, including those published by the National Institute of Standards and Technology (“NIST”). Highlights of the program include:
Risks identified through our cybersecurity program are assessed to determine the potential impact and likelihood of occurrence and mitigation plans are developed and implemented accordingly.
The Audit Committee of our Board of Directors bears the primary responsibility for oversight of cybersecurity risks. The Audit Committee is composed of board members with diverse expertise, including risk management, technology and finance, equipping them to oversee cybersecurity risks effectively. Management’s oversight is performed through an IT Steering Committee, a subset of executive management including our Chief Financial Officer, or CFO, and Chief Legal Officer, and relevant functional expertise, including our Senior Vice President, Information Systems, or SVP, IS. Our SVP, IS, is the primary member of the IT Steering Committee charged with responsibility for assessing, monitoring and managing our cybersecurity risks. With over 20 years of experience in information technology strategy and operations, his background includes extensive experience as an IT executive at various companies. At least annually, the SVP, IS, and the CFO provide a comprehensive report to the Audit Committee regarding cybersecurity risk assessments, emerging threats and changes to industry standards, and incident reports and remediation, if any.
The SVP, IS, oversees processes for the regular monitoring of our information systems, including potential vulnerabilities. In the event of a cybersecurity incident, the IT organization and designated members of executive management follow an established Cybersecurity Incident Response Plan. This plan includes immediate actions to contain the threat, mitigate the impact and assess materiality, and requires retrospective review and identification of corrective actions to reduce future risk.
During the fiscal year ended December 31, 2023, we did not experience any material impact to our business, financial position or operations resulting from previously identified cyberattacks or other information security incidents, but we cannot provide assurance that they will not be materially affected in the future by such risks or any future material breaches. For a discussion of these risks, see “Item 1A—Risk Factors—Risk Related to Our Business and Industry—Our business and operations could suffer in the event of an actual or perceived information security incident such as a cybersecurity breach, system failure, or other compromise of our systems and/or information, including information held by a third-party contractor or vendor.”