Natera, Inc. - (NTRA)
10-K Filing Date: February 29, 2024
CYBERSECURITY
Risk Management and Strategy
66
In the ordinary course of our business, we collect and store sensitive data, including legally protected personal information, such as test results and other patient health information, credit card and other financial information, insurance information, and personally identifiable information, as well as sensitive intellectual property and other proprietary business information, including that of our customers, payers and collaboration partners. We are highly dependent on information technology networks and systems – our own as well as those of third-party vendors and their subcontractors – to securely process, transmit, and store this sensitive data and business critical information.
Although we take measures to protect sensitive information from unauthorized access, use or disclosure, our information technology and infrastructure, and that of our technology and other third-party service providers and their subcontractors, are nevertheless inherently vulnerable to, and from time to time experience, various cybersecurity threats. We continue to invest in the security and resiliency of our networks and to enhance our internal controls and processes, which are designed to help protect our systems and infrastructure, and the information they contain. For more information regarding the risks we face from cybersecurity threats, please see “Item 1A. Risk Factors” included elsewhere in this Annual Report on Form 10-K.
Risk Management Processes
Our Information Security Execution Team is responsible for the day-to-day execution of our information security strategy and operations, and comprises key stakeholders across the Company’s information services & technology, engineering, legal, privacy, compliance, finance, human resources, and product teams. The Information Security Execution Team coordinates cross functionally to identify, assess, and address immediate and emerging risks from cybersecurity threats, including leading the formation and activities of working groups and response teams to address cybersecurity matters that arise from time to time. We maintain a cybersecurity incident response plan that addresses critical aspects of incident management, including detection, impact analysis, containment, mitigation, remediation, recovery, and long-term strategies for remediation and prevention of future incidents. In carrying out our incident response plan, our Information Security Execution Team also assesses incidents, or multiple related incidents, by reference to a set of specified criteria and, if one or more of such criteria are met, reports such incidents to management.
Our cybersecurity program is aligned with industry standards and best practices, such as the National Institute of Standards and Technology, or NIST, Cybersecurity Framework. We use various tools and methodologies to monitor and manage cybersecurity risks. We also monitor and evaluate our cybersecurity posture and performance on an ongoing basis through regular vulnerability scans, penetration tests and threat intelligence feeds. Our Information Security Execution Team conducts annual tabletop exercises to ensure preparedness for information security, including cybersecurity, incidents. In addition, we promote a company culture of awareness and discipline in cybersecurity matters through annual employee training and education, including periodic phishing simulations.
We engage with a range of external experts, including cybersecurity assessors, consultants, and auditors, in evaluating and attesting to our risk management systems, including an annual Systems and Organization Controls 2, or SOC 2, audit with respect to the security, availability, and process integrity trust services criteria, or TSC. Our collaboration with these third-party service providers includes regular audits, threat assessments, and consultation on cybersecurity strategy and enhancements. Recognizing the risks associated with these and other third-party service providers, we also conduct risk assessments on selected systems and third-party service providers on an ongoing basis.
Governance
Board Oversight
Cybersecurity is an important area of focus for our board of directors. Our audit committee is responsible for carrying out, on behalf of our board of directors, oversight of information security, including cybersecurity, risks. Our audit committee is composed of directors with diverse expertise relevant to such committee’s responsibilities, and includes two directors who have expertise or certifications in cybersecurity. Our management team provides updates on cybersecurity matters to our audit committee on a quarterly basis, with more frequent or interim communications as warranted.
67
In addition to the oversight by our audit committee, our board of directors receives an annual report on cybersecurity matters from our Chief Technology Officer, or CTO. Our Chief Compliance & Privacy Officer, or CCPO, and CTO also attend regular meetings of our board of directors, and engage in discussions on an ad hoc basis relating to cybersecurity and information security matters.
Management
We maintain an Information Security Leadership Committee, or ISLC, that is accountable for enterprise-level information security risk strategy, identification, prioritization, and mitigation, including establishing objectives and priorities. The ISLC comprises company executives that, collectively, represent experience and expertise in information technology, enterprise security and risk management, cybersecurity, engineering, technology, privacy, data security, and healthcare compliance. Members of this committee include our CTO, CCPO, Chief Information Officer, Chief Information Security Officer, and Chief Accounting Officer. The ISLC meets on at least a quarterly basis to review matters including updates on existing and emerging cybersecurity risks and threats including prioritization, mitigation, and remediation; the status of projects to strengthen our information security systems; assessments of our information security program and operations; and prioritized information security incidents, if any. The ISLC oversees the Information Security Execution Team.
|