RECURSION PHARMACEUTICALS, INC. - (RXRX)

10-K Filing Date: February 29, 2024
Item 1C. Cybersecurity.

We believe cybersecurity is a critical component of our enterprise risk management function. Our strategy regarding Information Security (“InfoSec”) includes a comprehensive, proactive, and sustainable risk-based approach, assessing the risk posed to the Company at the strategic, operational, financial, and reputational levels. We take appropriate preventive, detective, and response measures to mitigate these risks on a continuing basis.

Risk Management Process

Recursion’s approach to InfoSec is informed by the National institute of Standards and Technology (“NIST”) Cybersecurity Framework (“CSF”), which is a broad standards framework that provides direction and guidance to assess the Company’s InfoSec risk and implement InfoSec capabilities, and also provides measures of progress in areas that are relevant for the organization’s business objectives.

Risk Identification and Assessment

We have a dedicated InfoSec team that regularly reviews threat intelligence from various sources, including third-party InfoSec consultants, assesses the applicability of known threats and threat actor behavior and tactics to the Company, and assesses whether these threats pose risks to the Company. The InfoSec team then evaluates potentially appropriate administrative, technical, and physical controls to mitigate and reduce these risks within the appropriate business context and applies such controls where appropriate. We also have implemented a process to identify and mitigate risks from cybersecurity threats related to our use of third-party service providers.

These mitigation measures are detailed in the Company’s InfoSec Roadmap. Progress against this Roadmap and potential incidents are reviewed with management and the Company’s Audit Committee.

Risk Assurance

Our InfoSec team tests relevant controls and maintains industry standard attestations, including reports prepared by an independent AICPA-accredited auditor.

We also run regular cybersecurity exercises, such as penetration tests, to test the effectiveness of our controls. We use the results of these exercises to identify, evaluate, and prioritize potential areas of improvement through the InfoSec Roadmap.

Consequence Mitigation

We also test the Company’s InfoSec’s Incident Response control effectiveness through tabletop exercises facilitated by a third party. These exercises test the Company’s ability to detect and respond to cybersecurity incidents in a timely manner with a goal to reduce the impact of the cybersecurity incidents. Our InfoSec policies, processes and procedures are tested for completion and accuracy through these exercises. We use the results of these exercises to identify, evaluate, and prioritize potential areas of improvement identified through the InfoSec Roadmap.

We, like any technology company in the current environment, have experienced cybersecurity incidents in the past, but we have not experienced a cybersecurity incident which has been determined to be material. For additional information regarding whether any risks from cybersecurity threats are reasonably likely to materially affect our company, including our business strategy, results of operations, or financial condition, please refer to Item 1A, “Risk Factors,” in this annual report on Form 10-K, including the risk factors entitled “Risks Related to Our Platform and Data.”

Cybersecurity Governance

Our cybersecurity processes are overseen by the Audit Committee of the Board of Directors. The Audit Committee, through its charter, has express oversight of the Company’s cybersecurity processes, controls, and procedures and is responsible for monitoring and reviewing the Company’s mitigation efforts. The Audit Committee receives
146

quarterly briefings from senior leadership, including our Chief Information Security Officer, regarding information security risk, strategy, and effectiveness and progress of the InfoSec program. The Audit Committee also reviews with management significant information security incidents for the period and associated remediation plans, and new or emerging information security risks. The Board of Directors is also provided an update quarterly on the Company’s cybersecurity risk, processes, and mitigation efforts.

The execution of the Company’s cybersecurity processes is overseen by a committee that includes our Chief Information Security Officer, Chief Financial Officer, Chief Operating Officer, General Counsel and Chief Technology Officer. This committee is responsible for the overall cybersecurity strategy and approving the cybersecurity processes, policies, and procedures, including the InfoSec Roadmap. The committee receives regular reports on the InfoSec strategy, risks, and mitigation efforts. It is also informed of any potential reportable information security incidents and is responsible for assessing the impact and approving remediation plans, as well as escalating to the Audit Committee or Board of Directors. Overall implementation of the cybersecurity strategy is executed across the enterprise by Recursion’s InfoSec team, which is supervised by the Chief Information Security Officer.