CareDx, Inc. - (CDNA)

10-K Filing Date: February 28, 2024
ITEM 1C. CYBERSECURITY
Our Board of Directors, or the Board, is responsible for overseeing our risk management program and cybersecurity is a critical element of this program. Management is responsible for the day-to-day administration of our risk management program and our cybersecurity policies, processes, and practices. Our cybersecurity policies, standards, and controls are based on Soc2 Type 2 security criteria as defined by American Institute of Certified Public Accountants, periodic assessments using recognized National Institute of Standards and Technology’s Cybersecurity Framework, and other applicable industry standards. Our cybersecurity program is fully integrated into our overall risk management system and processes. In general, we seek to address material cybersecurity threats through a company-wide approach that addresses the confidentiality, integrity, and availability of our information systems or the information that we collect and store, by assessing, identifying, and managing cybersecurity issues as they occur.
Cybersecurity Risk Management and Strategy
Our cybersecurity risk management strategy focuses on several areas:
Identification and Reporting: We have implemented a cross-functional approach to assessing, identifying, and managing material cybersecurity threats and incidents. Our program includes controls and procedures to identify, classify, and escalate certain cybersecurity incidents to provide management visibility and obtain direction from management as to the public disclosure and reporting of material incidents in a timely manner.
Technical Safeguards: We implement technical safeguards that are designed to protect our information systems from cybersecurity threats, including firewalls, intrusion prevention and detection systems, anti-malware functionality, and access controls, which are evaluated and improved through routine vulnerability assessments and cybersecurity threat intelligence, as well as outside audits and certifications.
Incident Response and Recovery Planning: We have established and maintain an incident response plan designed to address our response to a cybersecurity incident, and a business continuity and disaster recovery plan. We conduct annual tabletop exercises to test these plans.
Third-Party Risk Management: We maintain a risk-based approach to identifying and overseeing material cybersecurity threats presented by third parties, including vendors, service providers, as well as the systems of third parties that could adversely impact our business in the event of a material cybersecurity incident affecting those third-party systems, including any outside auditors or consultants who advise on our cybersecurity systems.
Education and Awareness: We provide regular, mandatory training for all employees regarding cybersecurity threats as a means to equip our employees with tools to make employees aware of and to address cybersecurity threats, as well as to communicate our evolving information security policies, standards, processes, and practices.
We conduct periodic assessments and testing of our policies, standards, processes, and practices in a manner designed to address cybersecurity threats and events. The results of such assessments, audits, and reviews are evaluated by management and reported to the Audit Committee of the Board, or the Audit Committee, and we adjust our cybersecurity policies, standards, processes, and practices as necessary based on the information provided by these assessments, audits, and reviews.
Governance
The Board, in coordination with the Audit Committee, oversees our risk management program, including the management of cybersecurity threats. The Board and the Audit Committee each receive regular presentations and reports on developments in the cybersecurity space, including risk management practices, recent developments, evolving standards, vulnerability assessments, third-party and independent reviews, the threat environment, technological trends, and information security issues encountered by our peers and third parties. The Board and the Audit Committee also receive prompt and timely information regarding any cybersecurity risk that meets pre-established reporting thresholds. Annually, the Board and the Audit Committee discuss our approach to overseeing cybersecurity threats with our Chief Information Security Officer/Chief Information Officer, or CISO/CIO, and other senior management members.
The CISO/CIO, in coordination with senior management including the Office of the Chief Executive Officer, or the CEO, Chief Financial Officer, and General Counsel, works collaboratively across our company to implement a program designed to protect
63

Table of Contents
our information systems from cybersecurity threats and to promptly respond to any material cybersecurity incidents in accordance with our incident response and recovery plans. To facilitate the success of our cybersecurity program, cross-functional teams have been established to address cybersecurity threats and respond to cybersecurity incidents. Through ongoing communications with these teams, the CISO/CIO and senior management are informed about and monitor the prevention, detection, mitigation and remediation of cybersecurity threats and incidents, and report such threats and incidents to the Audit Committee when appropriate.
The CISO/CIO has served in various roles in information technology and information security for over 20 years, including serving as the Chief Information Security Officer of another public company for over 6 years. The CISO/CIO holds undergraduate and graduate degrees in computer science and has attained the professional certification of Certified Chief Information Security Officer. Our CEO, Chief Financial Officer, and General Counsel each hold undergraduate and graduate degrees in their respective fields. Collectively, they have several decades of experience managing risk at our company and in similar organizations or settings and assessing cybersecurity threats.
Material Affects of Cybersecurity Incidents
Except as described in the section entitled “Risk Factors” included in Part I, Item 1A, including, without limitation, the risk factor above titled “We face four primary risks relative to protecting critical information: loss of access risk, inappropriate disclosure risk, inappropriate modification risk and the risk of our being unable to identify and audit our controls over the first three risks. In addition, an application, data security or network incident may allow unauthorized access to our systems or data or our customers’ data, disable access to our service, harm our reputation, create additional liability and adversely impact our financial results” risks from cybersecurity threats, including as a result of any previous cybersecurity incidents, have not materially affected and are not reasonably likely to materially affect our company, including our business strategy, results of operations, or financial condition. In this instance, materiality is defined as an adverse impact to our critical information, which could result in significant legal and financial exposure.