Editas Medicine, Inc. - (EDIT)

10-K Filing Date: February 28, 2024
Item 1C. Cybersecurity
We have established certain processes for assessing, identifying and managing cybersecurity risks, which are built into our information technology functions and are designed to help protect our information, assets and operations from internal and external cyber threats. Such processes include physical, procedural and technical safeguards, response plans, regular tests on our systems, incident simulations and routine review of our policies and procedures to identify risks and refine our practices. We engage certain external parties, including consultants, independent privacy assessors, computer security firms and risk management and governance experts, as appropriate to enhance our cybersecurity oversight. We consider the internal risk oversight programs of third-party service providers before engaging them in order to help protect us from any related vulnerabilities.
We do not believe that there are currently any known risks from cybersecurity threats that have or are reasonably likely to materially affect us or our business strategy, results of operations or financial condition.
The Audit Committee of our Board of Directors oversees our cybersecurity and data privacy risk management activities, and reports to the Board regarding such oversight as appropriate. The Audit Committee receives updates from management regarding cybersecurity matters not less than twice per year, and is notified between such updates regarding any significant new cybersecurity threats or incidents.
99

Our Head of Information Security leads the operational oversight of company-wide cybersecurity strategy, policy, standards and processes, and works across relevant departments to assess and help prepare us and our employees to address cybersecurity risks. The Head of Information Security has approximately 20 years of cybersecurity expertise, including more than 15 years working in information security with the U.S. Federal Reserve System, serving most recently as the Assistant Vice President for Operations and Information Security. He has received both a GIAC Security Leadership certificate and a Certified Information Systems Security Professional certification.
We have also established a cross-functional Cybersecurity Incident Response Team led by our Head of Information Security serving as the chair and consisting of senior-level functional leaders, with appropriate members of our executive leadership team added on an ad hoc basis as necessary for any particular threat or incident. This team seeks to safeguard the confidentiality, integrity, and availability of our critical information assets and protect against cyber threats through establishing a proactive and effective incident response program, fostering a culture of security awareness, and ensuring the continuous improvement of our incident response capabilities. In the event of a cyber security incident, the team is responsible for the swift detection, containment, mitigation, and recovery from such incident to minimize business disruption, protect intellectual property, and maintain the trust of our stakeholders.
In an effort to deter prevent and detect cyber threats, we provide all employees, including part-time and temporary employees, with a data protection, cybersecurity and incident response and prevention training and compliance program, which covers timely and relevant topics, including social engineering, phishing, password protection, confidential data protection, asset use and mobile security, and educates employees on the importance of reporting all incidents immediately. We also use technology-based tools to mitigate cybersecurity risks and to bolster our employee-based cybersecurity programs.