RHYTHM PHARMACEUTICALS, INC. - (RYTM)
10-K Filing Date: February 29, 2024
Cybersecurity Risk Management and Strategy
We design and assess our cybersecurity program based on the CIS Controls and NIST Cybersecurity Framework (CSF). These frameworks provide us with a common language and structure for identifying, assessing, and managing cybersecurity risks across our organization. We do not claim to comply with any technical standards, specifications, or requirements by using these frameworks. They are guides that help us to deal with the cybersecurity risks that are relevant to our business.
Our cybersecurity program is integrated into our overall enterprise risk management program, and shares common methodologies, reporting channels and governance processes that apply across the enterprise risk management program to other legal, compliance, strategic, operational, and financial risk areas. To this end, we have implemented a cybersecurity program that includes the following elements:
● | A Cybersecurity Manager responsible for developing and maintaining our administrative, technical, and physical cybersecurity controls. |
● | Risk assessments designed to identify material cybersecurity risks to our critical systems and information. |
● | A Security Operations Center (SOC) to monitor our critical infrastructure and execute immediate, human-led responses to confirmed threats. |
● | External technology and security providers, where appropriate, to assess, test or otherwise assist with aspects of our cybersecurity program. |
● | Cybersecurity awareness training for employees and supplemental training for senior management and other personnel who access highly sensitive information. |
● | A trained incident response team and written procedures to navigate the incident response lifecycle. |
● | A third-party risk management process and questionnaire for service providers and vendors who access sensitive information. |
111
We have not identified risks from known cybersecurity threats, including any prior cybersecurity incidents, that have materially affected, including our operations, business strategy, results of operations, or financial condition. We face risks from cybersecurity threats that, if realized, are reasonably likely to materially affect us, including our operations, business strategy, results of operations, or financial condition. For more information, see the section titled “Risk Factors— Our information technology systems, or those of our third-party CROs, CMOs or other contractors or consultants, may fail or suffer security breaches, which could result in a material disruption of setmelanotide development programs, regulatory investigations, enforcement actions and lawsuits.”
Cybersecurity Governance
Our Board considers cybersecurity risk as part of its risk oversight function and has delegated to the Audit Committee (the “Committee”) oversight of cybersecurity risks. The Committee oversees management’s implementation of our cybersecurity program.
The Committee receives periodic reports from management on our cybersecurity program and risks. In addition, management updates the Committee, as necessary, regarding any material cybersecurity incidents, as well as any incidents with lesser impact potential. The Committee reports to the full Board regarding its activitiesrisk management functions, including those related to cybersecurity. Board members receive presentations on cybersecurity risk and strategy from our Cybersecurity Manager, as part of the Board’s continuing education on topics that impact public companies.
The Cybersecurity Manager, with the help of our IT and Legal team is responsible for assessing and managing our material risks from cybersecurity threats. This Cybersecurity Manager position has the primary responsibility for our overall cybersecurity risk management program and supervises both our internal personnel and our retained external cybersecurity consultants. The current Cybersecurity Manager has extensive information security and program management experience and has held past positions as a virtual CISO for a wide range of organizations.
Our management team supervises efforts to prevent, detect, mitigate, and remediate cybersecurity risks and incidents through various means, which may include briefings from internal security personnel and other information obtained from governmental, public, or private sources, including external consultants engaged by us, and alerts and reports produced by security tools deployed in the IT environment.