CYTOKINETICS INC - (CYTK)
10-K Filing Date: February 28, 2024
Risk management and strategy
Cytokinetics recognizes the critical importance of developing, implementing, and maintaining cybersecurity measures designed to safeguard our information systems and protect the confidentiality, integrity, and availability of our critical data.
Managing Material Risks & Integrated Overall Risk Management
Our cybersecurity team, led by our CISO, identifies and assesses risks from cybersecurity threats by monitoring and evaluating our threat environment and the Company’s risk profile using various methods including, for example, through manual and automated tools, internal and external audits, third-party threat assessments and third-party conducted red/blue team testing and tabletop incident response exercises and by subscribing to reports and services that identify cybersecurity threats, analyzing reports of threats and actors, conducting scans of the threat environment, evaluating our and our industry’s risk profile, evaluating threats reported to us, conducting threat assessments for internal and external threats and conducting vulnerability assessments.
Depending on the environment, we implement and maintain various technical, physical, and organizational measures, processes, standards and policies designed to manage and mitigate material risks from cybersecurity threats to our Information Systems and Data, including, for example: maintaining an incident response plan, a vulnerability management policy, disaster recovery and business continuity plans and a vendor risk management program; conducting employee training, systems monitoring and penetration testing; implementing security standards, network security controls, access controls and physical security; encrypting and segregating data; though asset management, tracking and disposal; and maintaining cybersecurity insurance.
We have strategically integrated cybersecurity risk management into our broader risk management framework to promote a culture of cybersecurity risk management. This integration is designed to make cybersecurity considerations an integral part of our decision-making processes. Our risk management team works closely with our IT department and cybersecurity team to evaluate and address cybersecurity risks connected with our business objectives and operational needs.
Engage Third-parties on Risk Management
Recognizing the complexity and evolving nature of cybersecurity threats, Cytokinetics engages with a range of external experts, including cybersecurity assessors, consultants, and auditors in evaluating and testing our risk management systems. These partnerships enable us to leverage specialized knowledge and insights. Our collaboration with these third parties includes periodic audits, threat assessments, and consultation on security enhancements.
60
Oversee Third Party Risk
Because we are aware of the potentially material risks from cybersecurity threats associated with third-party service providers, Cytokinetics implements processes to oversee and manage these risks. Depending on the nature of the services provided and the identity of the service provider, we may conduct security assessments of the provider before engagement and may monitor their compliance with our cybersecurity policies after engagement. The monitoring includes periodic assessments by our Chief Information Security Officer (“CISO”) and on an ongoing basis by our security specialists. This approach is designed to mitigate risks related to data breaches or other security incidents originating from third parties.
Risks from Cybersecurity Threats
For a description of the risks from cybersecurity threats that may materially affect the Company and how they may do so, see our risk factors under Part I. Item 1A. Risk Factors in this Annual Report on Form 10-K, including the discussion under the headings “Our internal computer systems, or those of our CROs, CMOs, supply chain partners, collaboration partners or other contractors or consultants, may fail or suffer security breaches, which could result in a material disruption of our drug development programs” and “Significant disruptions of information technology systems or breaches of data security could adversely affect our business”.
Governance
Cytokinetics’ Board of Directors is aware of the critical nature of managing risks associated with cybersecurity threats. Our Board has established oversight mechanisms designed to ensure effective governance in managing material risks associated with cybersecurity threats because we recognize the significance of these threats to our operational integrity and stakeholder confidence.
Board of Directors Oversight
The Audit Committee is central to the Board’s oversight of cybersecurity risks and bears the primary responsibility for this domain. The Audit Committee is composed of board members with diverse expertise, including, risk management, technology, and finance. The Audit Committee reports to the Board of Directors periodically regarding cybersecurity topics presented to the Audit Committee, and all materials made available to the Audit Committee are available to rest of the Board of Directors.
Management’s Role Managing Risk
The CISO, the Vice President, Information Technology (“VP of IT”), the Chief Executive Officer (“CEO”) and the Chief Financial Officer (“CFO”) play a pivotal role in informing the Audit Committee on cybersecurity risks. They provide cybersecurity briefings to the Audit Committee on a regular basis, with a minimum frequency of once per year. These briefings encompass a broad range of topics, including as applicable: the current cybersecurity landscape and emerging threats, the status of ongoing cybersecurity initiatives and strategies, incident reports and learnings from any cybersecurity events, and compliance with regulatory requirements and industry practices.
In addition to our scheduled meetings, the Audit Committee, CISO, VP of IT, CEO and CFO maintain an ongoing dialogue regarding emerging or potential cybersecurity risks. Together, they receive updates from one another, as appropriate, on any significant developments in the cybersecurity domain, ensuring the Board’s oversight is proactive and responsive. The Audit Committee actively participates in strategic decisions related to cybersecurity, offering guidance and approval for major initiatives. This involvement ensures that cybersecurity considerations are integrated into the broader strategic objectives of Cytokinetics. The Audit Committee conducts an annual review of the company’s cybersecurity posture and the effectiveness of its risk management strategies. This review helps in identifying areas for improvement and ensuring the alignment of cybersecurity efforts with the overall risk management framework.
Management Personnel in Cybersecurity
Primary responsibility for assessing, monitoring and managing our risks from cybersecurity threats rests with the CISO, Mr. Eric Brown. With over 10 years of experience in the field of cybersecurity and over 20 years of experience in IT more broadly, Mr. Brown brings a wealth of expertise to his role. His background includes extensive experience as an enterprise CISO. His in-depth knowledge and experience are instrumental in developing and executing our cybersecurity strategies. Our CISO oversees our governance programs, tests our compliance with standards, remediates known risks, and leads our employee training program.
Mr. Brown reports to the VP of IT, Mr. Daniel Casper. With over 20 years of experience in IT leadership roles in biopharma and industry services, Mr. Casper brings expertise in leading the effective business use of technology solutions and services to our industry. Our VP of IT has overall responsibility for the Company’s IT department and operations, including oversight over the CISO and cybersecurity team to ensure efforts to contain and remediate security incidents are sufficient and effective.
61
Monitor Cybersecurity Incidents
The CISO is responsible for informing himself from appropriate sources about the latest developments in cybersecurity, including potential threats and innovative risk management techniques. The CISO implements and oversees processes for the monitoring of our information systems. This includes the deployment of security measures and system audits to identify potential vulnerabilities. In the event of a cybersecurity incident, the CISO is equipped with a well-defined incident response plan. This plan includes immediate actions designed to mitigate the impact and long-term strategies for remediation and prevention of future incidents.
Reporting to Board of Directors
The CISO, in his capacity, regularly informs the VP of IT, the CFO, the CEO, and the General Counsel or Head of Legal of material cybersecurity risks and incidents. This is how executive management is kept abreast of our cybersecurity posture and potentially material cybersecurity risks facing Cytokinetics. Furthermore, significant cybersecurity matters, and strategic risk management decisions are escalated by any of the CEO, the CFO and the General Counsel or Head of Legal to the Audit Committee, so that the Audit Committee can oversee and provide guidance on critical cybersecurity issues.