Akili, Inc. - (AKLI)

10-K Filing Date: February 29, 2024
Item 1C. Cybersecurity.

Risk Management and Strategy

We have implemented and maintain various information security processes designed to identify, assess, and manage material risks from cybersecurity threats to our critical computer networks, third party hosted services, communications systems, hardware and software, and our critical data, including intellectual property, confidential information and data that is proprietary, strategic or competitive in nature (together, “Information Systems and Data”).

Our information security team (with oversight from our Chief Information Security Officer (“CISO”) and support from our head of information technology) helps to identify, assess, and manage the Company’s cybersecurity threats and risks. Our information security team works to identify and assess risks from cybersecurity threats by monitoring and evaluating the Company’s threat environment and risk profile using various methods including, for example, vulnerability scanning and monitoring and periodic testing and audits.

Depending on the environment, we have implemented various technical, physical, and organizational measures, processes, standards, and policies designed to manage and mitigate material risks from cybersecurity threats to our Information Systems and Data, including, from time to time, vulnerability management, information classification and data protection, asset management, software patching processes and procedures, access control, encryption, back-up procedures, disaster recovery plans, training, executive oversight, event logging, endpoint detection, multi-factor authentication, continuous monitoring, audits and engagement of third parties to conduct analysis of our Information Systems and Data.

Our assessment and management of material risks from cybersecurity threats are integrated into our overall risk management processes. For example, cybersecurity risk is addressed as a component of the Company’s enterprise risk assessment and our information security team works with management to prioritize our risk management processes and mitigate cybersecurity threats that we believe are more likely to lead to a material impact to our business. In addition, our senior management evaluates material risks to the Company, including material risks from cybersecurity threats against the Company’s overall business objectives and reports to the audit committee of our Board, which evaluates our overall enterprise risk and related management of such risk.

In addition, we use third party service providers to perform a variety of functions throughout our business. As a result of such use of third party service providers, we face additional cybersecurity-related risks. We have a vendor management program designed to help us manage cybersecurity risks associated with our use of third party service providers. We maintain a risk-based approach to evaluating and overseeing cybersecurity risks presented by our third party service providers. Third party service providers that meet certain criteria, such as owning and operating any information technology networks and systems on which the Company relies or where the Company’s anticipated use of such third party service providers may result, for example, in the provider’s access or processing of certain Company information or data, are evaluated to assess their performance across several domains, including data security, operations management, and privacy. We seek to maintain effective communication with our third party service providers to facilitate timely notification of cybersecurity incidents that might impact the Company.

We do not believe that any risks from cybersecurity threats, including as a result of any previous cybersecurity incidents, have materially affected our overall business strategy, results of operations, or financial condition. While we have mitigating and compensating controls in place to protect against what we believe are some of the most significant types of cybersecurity threats that our business faces, such as ransomware attacks, denial of service attacks, theft of resources and unauthorized use or disclosure of customer data or confidential information, if such an event were significant and successful, it would be reasonably likely to materially affect our business strategy, results of operations, or financial condition by, for example, causing substantial disruptions to our product offering, services or support or incurring significant costs to mitigate and remediate the damage caused by such an attack. For information regarding cybersecurity risks that may materially affect our Company, see Part I, Item 1A. “Risk Factors” of this Annual Report for more information regarding cybersecurity and other risks we face.

Governance

Our Board has overall responsibility for risk oversight and has delegated to the audit committee primary enterprise risk oversight responsibility for overseeing the Company’s risk assessment and risk management related to cybersecurity. The audit committee of our Board receives periodic updates from our Security and Privacy Council and/or Information Security team concerning the Company’s significant cybersecurity threats and risks and the processes the Company has implemented to address them.

We have established a Security and Privacy Council (the “Council”), which as of the date of this Annual Report includes our CISO, Chief Legal Officer and other employees from our legal, engineering, information security, and information technology

88


 

departments, which meets at least quarterly to review and evaluate information security and privacy risks and mitigations, information security resources and budget, audits, and monitoring programs. The Council includes certain members who have extensive experience assessing and managing risks from cybersecurity threats, including multiple decades of combined experience across information technology and information security positions; serving in leadership positions at other public companies; and having other significant experience in the areas of risk management, engineering, information technology, and information security.

Our management team is responsible for hiring appropriate personnel, helping to integrate cybersecurity risk considerations into our business processes and our overall risk management strategy, and communicating key priorities to relevant personnel. Our management team is also responsible for approving budgets, helping prepare for cybersecurity incidents, approving cybersecurity processes, and reviewing security assessments and other security-related reports.

Our cybersecurity incident response policy and procedures are designed to escalate certain cybersecurity incidents to members of management depending on the circumstances. Members of management and other technical experts will work with the Company’s incident response team to help the Company mitigate and remediate cybersecurity incidents of which they are notified.