Y-mAbs Therapeutics, Inc. - (YMAB)

10-K Filing Date: February 29, 2024

ITEM 1C.

CYBERSECURITY.

Risk management and strategy

We have implemented and maintain various information security processes designed to identify, assess and manage material risks from cybersecurity threats to our critical computer networks, third party hosted services, communications systems, hardware and software, and our critical data, including intellectual property, confidential information that is proprietary, strategic or competitive in nature, and information related to our clinical trials and product, product candidates, and technology (“Information Systems and Data”).

We have a multi-stakeholder team to help identify, assess, and manage the Company’s cybersecurity threats and risks, comprised of representatives from our third-party IT administrator, Legal and Compliance Administration, and Finance departments. This team, along with our third-party IT service providers, identifies and assesses risks from cybersecurity threats by monitoring and evaluating our threat environment using various methods including, for example, by using automated monitoring tools, subscribing to analysis and services that identify cybersecurity threats, conducting scans of the threat environment, conducting internal and external review of certain data and systems, and having third parties conduct periodic assessments of our threat environment.

Depending on the environment, we implement and maintain various technical, physical, and organizational measures, processes, standards and policies designed to manage and mitigate material risks from cybersecurity threats to our Information Systems and Data, including, for example maintaining an incident response policy and incident detection and response procedures, disaster recovery and business continuity plans and an IT contingency policy, encrypting certain data, conducting risk assessments for certain data and systems, implementing certain network security, physical and access controls, monitoring our systems, providing periodic training to employees and using tools such as penetration testing tools.

Our assessment and management of material risks from cybersecurity threats are integrated into the Company’s overall risk management processes. For example, our IT and Legal and Compliance departments work with management to prioritize our risk management processes and mitigate cybersecurity threats that are more likely to lead to a material impact to our business.

120

We use third-party service providers to assist us from time to time to identify, assess, and manage material risks from cybersecurity threats, including for example, our third-party IT service provider, cybersecurity consultants, outside legal counsel, software providers, and penetration testing firms.

We use third-party service providers to perform a variety of functions throughout our business, including hosting providers, CROs, and CMOs. We have a vendor management program to manage cybersecurity risks associated with our use of these providers. The program includes, as appropriate, risk assessments of vendors, reviewing our vendors’ information security program, reports, audits, and imposing relevant contractual obligations on our vendors. Depending on the nature of the services provided, the sensitivity of the Information Systems and Data at issue, and the identity of the provider, our vendor management process may involve different levels of assessment designed to help identify cybersecurity risks associated with a provider and impose contractual obligations related to cybersecurity on the provider.

For a description of the risks from cybersecurity threats that may materially affect the Company and how they may do so, see our risk factors under Part 1. Item 1A. Risk Factors in this Annual Report on Form 10-K, including under the heading “If our information technology systems or data, or those of third parties upon which we rely, are or were compromised, we could experience adverse consequences resulting from such compromise, including but not limited to regulatory investigations or actions; litigation; fines and penalties; disruptions of our business operations; reputational harm; loss of revenue or profits; loss of customers or sales; and other adverse consequences”

Governance

Our board of directors addresses the Company’s cybersecurity risk management as part of its general oversight function. The board of directors’ audit committee is responsible for overseeing Company’s cybersecurity risk management processes, including oversight and mitigation of risks from cybersecurity threats.

Our cybersecurity risk assessment and management processes are implemented and maintained by certain individuals in Company management, including our Director of IT, HR & Administration, and our Chief Financial Officer, Treasurer and Secretary (CFO).

Our Director of IT, HR & Administration has been responsible for IT and cybersecurity for approximately 15 years across several organizations, and is currently responsible for hiring appropriate personnel, helping to integrate cybersecurity risk considerations into the Company’s overall risk management strategy, and communicating key priorities to relevant personnel. Our CFO has had the overall IT and cybersecurity responsibility since inception of the Company in 2015 and is currently responsible for approving IT and cybersecurity related policies, processes, and procedures, approving related activities and budgets, helping prepare for cybersecurity incidents, and reviewing security assessments and other security-related reports.

Our cybersecurity incident response policy is designed to escalate certain cybersecurity incidents to members of management depending on the circumstances, including our CFO and CEO, as appropriate and provides for our management team to work with the Company’s incident response team to help the Company mitigate and remediate cybersecurity incidents of which they are notified. In addition, the Company’s incident response policy includes reporting to the audit committee of the board of directors for certain cybersecurity incidents.

As part of its oversight of the Company’s overall risk management, the audit committee is periodically updated by our CFO concerning cybersecurity threats and risks and the processes the Company has implemented to address them.

© 2024 Material-Incidents. All rights reserved.