Lyell Immunopharma, Inc. - (LYEL)

10-K Filing Date: February 28, 2024
Item 1C. Cybersecurity.
Risk management and strategy
We rely on information technology and data to operate our business and develop and advance our pipeline of product candidates. Our critical information technology includes computer networks, third-party hosted services, communications systems, software and infrastructure, and our critical data includes confidential, personal, proprietary and sensitive data (collectively, Information Assets). Accordingly, we maintain certain risk assessment processes intended to identify cybersecurity threats, determine their likelihood of occurring and assess potential material impact to our business. Based on our assessment, we implement and maintain risk management processes designed to protect the confidentiality, integrity and availability of our Information Assets and mitigate harm to our business.
Risks from cybersecurity threats are among those that we review and address in our general risk management program. We identify such threats by, among other things, monitoring the threat environment using manual and automated tools, subscribing to reports and services that identify cybersecurity threats, analyzing reports of threats and actors,
71

conducting scans of the threat environment, evaluating our and our industry’s risk profile, evaluating threats reported to us, conducting threat assessments for internal and external threats and conducting vulnerability assessments to identify vulnerabilities.
We rely on a multidisciplinary team (including from our information security function, management and third‑party service providers, as described further below) to assess how cybersecurity threats could impact our business. We routinely assess the likelihood that such threats could result in a material impact to our Information Assets, business and clinical operations, core business functions, personnel, reputation and identified critical business objectives.
Based on our assessment process and depending on the environment, we implement and maintain various technical, physical and organizational measures designed to manage and mitigate material risks from cybersecurity threats to our Information Assets, including, for example: policies and procedures designed to address cybersecurity threats, including an incident response plan, disaster recovery and business continuity plans; incident detection and response; internal and/or external audits to assess our exposure to cybersecurity threats, compliance with risk mitigation procedures and effectiveness of relevant controls; documented risk assessments; background checks on our personnel; encryption of data; network security controls; access controls; physical security; asset management; systems monitoring; employee training; penetration testing; and cyber insurance. We prioritize our efforts based on the threats that we believe are more likely to lead to a material impact to our business, such as ransomware, theft of intellectual property and interruption of services and processes on which we rely.
We work with third parties that assist us to identify, assess and manage cybersecurity risks, including professional services firms, cybersecurity consultants, cybersecurity software providers, managed cybersecurity service providers and penetration testing firms.
To operate our business, we utilize certain third‑party service providers to perform a variety of functions, such as outsourced business functions, professional services, software-as-a-service platforms, managed services, property management, cloud-based infrastructure, data center facilities, encryption and authentication technology and corporate productivity services. Depending on the nature of the services provided, the sensitivity and quantity of information processed and the identity of the service provider, our vendor management process may include reviewing the cybersecurity practices of such provider, contractually imposing obligations on the provider related to the services they provide and/or the information they process, conducting security assessments, conducting on-site inspections and requiring their completion of written questionnaires regarding their cybersecurity programs. For service providers that provide particularly critical services to us or process particularly sensitive information for us, we engage industry leaders with robust and documented cybersecurity programs.
For additional information about the risks from cybersecurity threats that may materially affect us and how they may do so, see the section entitled “Risk Factors” in Part I, Item 1A of this Annual Report on Form 10-K, including “If our information technology systems or those third parties upon which we rely, or our data, are or were compromised, we could experience adverse consequences resulting from such compromise, including but not limited to regulatory investigations or actions, litigation, fines and penalties, disruptions of our business operations, reputational harm and other adverse consequences.”
Governance
Our cybersecurity risk management strategy relies on input from management, including our Chief Operating Officer, Mr. Stephen Hill, to help us understand cybersecurity risks, establish priorities and determine the scope and details of our cybersecurity program and to implement it. Mr. Hill has held senior management positions at numerous pharmaceutical companies for over a decade. Management is responsible for hiring appropriate personnel, integrating cybersecurity considerations into our overall risk management strategy and for communicating key priorities to employees and other stakeholders. Our cybersecurity incident response and vulnerability management processes involve management, who participate in our disclosure controls and procedures.
Management meets regularly to discuss cybersecurity risk and to review our cybersecurity program. Management is also responsible for approving budgets, helping prepare for cybersecurity incidents, responding to cybersecurity incidents, approving cybersecurity policies and procedures, reviewing audit reports and reporting to our board of directors, testing incident response plans and engaging vendors that provide cybersecurity services. Management participates in cybersecurity incident response efforts by being members of the incident response team and helping direct our response to cybersecurity incidents.
Our board of directors has overall responsibility for evaluating key business risks faced by us, including cyber security and information technology. The audit committee of our board of directors assists the board of directors in the oversight and assessment of risks relating to data privacy, technology and information security, including cybersecurity.
72

Our audit committee holds regular meetings to discuss issues including our cybersecurity threats and has a dedicated agenda during such meetings that are designed to assist our board of directors and our audit committee in exercising their oversight function. The meetings involve presentations and reports from our management and specifically includes updates of current cybersecurity threats faced by us and steps we are taking to address them.