Fulgent Genetics, Inc. - (FLGT)
10-K Filing Date: February 28, 2024
We recognize the critical importance of maintaining the trust and confidence of customers, clients, patients, business partners, and employees toward our business and are committed to protecting the confidentiality, integrity, and availability of our business operations and systems. Our board of directors is actively involved in oversight of our risk management activities, and cybersecurity represents an important element of our overall approach to risk management. Our cybersecurity policies, standards, processes, procedures, and practices are based on recognized frameworks established by the National Institute of Standards and Technology, or NIST and other applicable industry standards. In general, we seek to address cybersecurity risks through a comprehensive, cross-functional approach that is focused on preserving the confidentiality, security, integrity, and availability of the information that we collect and store by identifying, preventing, and mitigating cybersecurity threats and effectively responding to cybersecurity incidents when they occur.
Risk Management and Strategy; Effect of Risk
We face risks related to cybersecurity such as unauthorized access, cybersecurity attacks, and other security incidents, including as perpetrated by hackers and unintentional damage or disruption to hardware and software systems, loss of data, and misappropriation of confidential information. To identify and assess material risks from cybersecurity threats, we maintain a comprehensive cybersecurity program and regular oversight of our programs for security monitoring for internal and external threats to ensure the confidentiality and integrity of our information assets. We consider risks from cybersecurity threats alongside other company risks as part of our overall risk assessment process. We employ a range of tools and services, including regular network and endpoint monitoring, vulnerability assessments, penetration testing, threat monitoring and tabletop exercises to inform our risk identification and assessment.
We also identify our cybersecurity threat risks by comparing our processes to standards set by NIST and Center for Internet Security, as well as by engaging experts to attempt to infiltrate our information systems. To provide for the availability of critical data and systems, maintain regulatory compliance, manage our material risks from cybersecurity threats, and protect against and respond to cybersecurity incidents, we also perform periodic risk assessments, which includes cybersecurity risks, monitor emerging data protection laws and implement changes to our processes that are designed to comply with such laws; through our policies, practices, and/or contracts (as applicable), require employees and certain third parties to treat confidential information and data with care; periodically update our relevant policies and procedures; employ technical safeguards that are designed to protect our information systems from cybersecurity threats, including firewalls, intrusion prevention and detection systems, anti-malware functionality, and access controls, which are evaluated and improved through vulnerability assessments and cybersecurity threat intelligence; provide
66
regular, mandatory training for our employees regarding cybersecurity threats as a means to equip them with effective tools and knowledge necessary to identify or address cybersecurity threats and to communicate our evolving information security policies, standards, processes and practices; conduct regular phishing email simulations to enhance awareness and responsiveness to possible threats; conduct annual cybersecurity training for our board of directors and senior management; run tabletop exercises to simulate a response to a cybersecurity incident and use the findings to improve our processes and technologies; leverage the NIST incident handling framework to help us identify, protect, detect, respond, and recover when there is an actual or potential cybersecurity incident; engage consultants to help us oversee and manage cybersecurity risks, processes, and incident response measures; and carry information security risk insurance that provides protection against the potential losses arising from a cybersecurity incident.
Our incident response plan outlines and coordinates the activities we take to prepare for, detect, respond to, and recover from cybersecurity incidents, which include processes to triage, assess severity for, escalate, contain, investigate, and remediate the incident, as well as to comply with potentially applicable legal obligations and mitigate damage to our business and reputation. Our incident response plan further outlines the roles and responsibilities of various employees, managers, and senior leadership with respect to performing a materiality assessment and responding to cybersecurity events that are deemed material, as well as provides rapid escalation procedures after a cybersecurity incident. In the event of an incident, we intend to follow our incident response plan, which outlines the steps to be followed from incident detection to mitigation, recovery, and notification, including notifying functional areas (e.g. legal), as well as senior leadership and our board of directors, as appropriate.
Our cyber risk management program is integrated within the Company’s enterprise risk management system and addresses both the corporate information technology environment and customer-facing products and services. The risk management program is focused on safeguarding the organization's digital assets, ensuring continuous business operations, and minimizing the potential impact of cyber threats. Regular assessments, including penetration tests, are performed. These inputs form the basis of a risk register that is integrated into the overall enterprise risk management program to further inform the Company’s strategy assessing the likelihood, impact, and velocity of these risks on a forward-looking basis.
As part of the above processes, we regularly engage with consultants, and other third parties, review our cybersecurity program to help identify areas for continued focus, improvement, and compliance. We engage them, specifically, to assist us with cybersecurity risk assessments, external threat environment reviews, internal cybersecurity policy compliance and near-term incident response. Our processes also address cybersecurity threat risks associated with our use of third-party service providers, including our key suppliers, which have access to consumer, patient, and employee data or our systems. In addition, cybersecurity considerations affect the selection and oversight of our third-party service providers. We periodically perform diligence on certain third parties that have access to our systems, data, or facilities that house such systems or data; and we monitor cybersecurity threat risks identified through such diligence.
We describe whether and how risks from identified cybersecurity threats, including as a result of any previous cybersecurity incidents, have materially affected or are reasonably likely to materially affect us, including our business strategy, results of operations, or financial condition under the heading “Actual or attempted security incidents or breaches, loss of data, or other disruptions could expose us to material liability and materially and adversely affect our business, financial condition, and our reputation,” which disclosures are incorporated by reference herein.
In the last three fiscal years, we have not experienced any material cybersecurity incidents. As of the date of this report, we do not believe that risks from any cybersecurity threats, including as a result of any previous cybersecurity incidents, have materially affected or are reasonably likely to affect us, including our business strategy, results of operations or financial condition. However, these threats pose a risk to the security of our systems and networks and the confidentiality, availability, and integrity of our data. Cybersecurity attacks could also include attacks targeting patient, employee, or customer data or the security, integrity, and/or reliability of the hardware and software we utilize in our business operations. It is possible that our information technology systems and networks, or those managed or provided by third parties, could have vulnerabilities, which could go unnoticed for a period of time. While various procedures and controls have been and are being utilized to mitigate such risks, there can be no guarantee that the actions and controls we have implemented and are implementing will be sufficient to protect and mitigate associated risks to our systems, information, or other property. For more information, see the risk factors included in Item 1A of this Annual Report.
As of the date of this report, we do not believe that risks from any cybersecurity threats as a result of any previous cybersecurity incidents, have materially affected or are reasonably likely to affect us, including our business strategy, results of operations or financial condition. However, we are aware that changes in our IT systems, including those provided by third parties, could expose us to risk in the future. We cannot guarantee that controls we will implement to mitigate this risk will eliminate it. See Item 1A of this Annual Report for discussion of this risk.
Cybersecurity Governance; Management
67
Cybersecurity is an important part of our risk management processes and an area of focus for our board of directors and management. In general, our board of directors oversees risk management activities designed and implemented by our management and considers specific risks, including, for example, risks associated with our strategic plan, business operations, and capital structure. Our board of directors executes its oversight responsibility for risk management both directly and through delegating oversight of certain of these risks to its committees, and our board of directors has authorized our audit committee to oversee risks from cybersecurity threats.
At least quarterly, our board of directors receives an update from management of our cybersecurity threat risk management and strategy processes, covering topics such as data security posture, any results from third-party assessments, progress towards pre-determined risk-mitigation-related goals, our incident response plan, material cybersecurity threat risks or incidents and developments, as well as the steps management has taken to respond to such risks. In such sessions, our board of directors generally receives materials that include a cybersecurity dashboard and/or other materials discussing current and emerging material cybersecurity threat risks and describing our ability to mitigate those risks, as well as recent developments, evolving standards, technological developments, and information security considerations arising with respect to our peers and third parties, and discusses such matters with our Chief Information Security Officer and/or General Counsel and Chief Privacy Officer. Our board of directors also receive prompt and timely information regarding any cybersecurity incident that meets established reporting thresholds, as well as ongoing updates regarding any such incident until it has been addressed.
Members of board of directors are also encouraged to regularly engage in conversations with management on cybersecurity-related news and events and discuss any updates to our cybersecurity risk management and strategy programs. Material cybersecurity threat risks are also considered during separate board meeting discussions of important matters like enterprise risk management, operational budgeting, business continuity planning, mergers and acquisitions, brand management, and other relevant matters. Our Chief Information Security Officer advises our Board on the specific vulnerabilities we identified and the controls we put in place to mitigate our risk.
Our cybersecurity program is managed by a dedicated team, which is led by our Chief Information Security Officer, (CISO who reports to the Chief Operating Officer and has to the ability to communicate directly to our CEO if necessary. Our CISO has over 20 years of IT experience, including over 18 years of cybersecurity experience, holds an M.S. degree in Information Security, and is a Certified Information Systems Security Professional (CISSP). As discussed above, our CISO and/or General Counsel and Chief Privacy Officer report to our board of directors about cybersecurity threat risks, among other cybersecurity related matters, on a quarterly basis.
In addition, our cybersecurity risk management and data strategy processes are further overseen by management team members. These management team members are informed about and monitor the prevention, mitigation, detection, and remediation of cybersecurity incidents through their management of, and participation in, the cybersecurity risk management and strategy processes described above, including the operation of our incident response plan. Such individuals have extensive prior work experience in various roles involving managing information security, developing cybersecurity strategy, implementing effective information and cybersecurity programs, as well as several relevant degrees and certifications.