AMICUS THERAPEUTICS, INC. - (FOLD)
10-K Filing Date: February 28, 2024
Item 1C. CYBERSECURITY
The Company’s Board of Directors (the “Board”) recognizes the critical importance of maintaining the trust and confidence of our customers, clients, business partners and employees. The Board is actively involved in oversight of the Company’s Enterprise Risk Management Program (“ERMP”), and cybersecurity represents an important component of the Company’s overall approach to enterprise risk management. The Company’s cybersecurity policies, standards, processes and practices are integrated into the Company’s ERMP and are based on recognized frameworks established by the National Institute of Standards and Technology and other applicable industry standards. In general, the Company seeks to address cybersecurity risks through a systematic, cross-functional approach that is focused on preserving the confidentiality, security and availability of the information that the Company collects and stores by identifying, preventing and mitigating cybersecurity threats and responding to cybersecurity incidents if they should occur.
Risk Management and Strategy
As one of the critical elements of the Company’s overall enterprise risk management approach, the Company’s cybersecurity program is focused on the following key areas:
•Governance: As discussed in more detail under the heading “Governance,” the Board’s oversight of cybersecurity is delegated to the Audit and Compliance Committee of the Board, which oversees the Company’s entire ERMP, reporting up to the full board on a periodic basis. The Company’s Chief Information Officer (“CIO”), the Chief Compliance Officer and other members of management regularly report to the Audit and Compliance Committee, with cybersecurity representing a standing meeting agenda topic.
•Collaborative Approach: The Company has implemented a systematic, cross-functional approach to identifying, preventing and mitigating cybersecurity threats and incidents, while also implementing controls and procedures that provide for the prompt escalation of certain cybersecurity incidents so that decisions regarding the public disclosure and reporting of such incidents can be made by management in a timely manner.
Technical Safeguards: The Company deploys technical safeguards that are designed to protect the Company’s information systems from cybersecurity threats, including firewalls, intrusion prevention and detection systems, anti-malware functionality and access controls, 24x7 security monitoring, and other controls which are evaluated and improved through vulnerability assessments and cybersecurity threat intelligence.
•Incident Response and Recovery Planning: The Company has established and maintains systematic incident response and recovery plans that address the Company’s response to a cybersecurity incident, and such plans are tested and evaluated on a periodic basis.
•Third-Party Risk Management: The Company maintains a systematic, risk-based approach to identifying and overseeing cybersecurity risks presented by third parties, including vendors, service providers and other external users of the Company’s systems, as well as the systems of third parties that could adversely impact our business in the event of a cybersecurity incident affecting those third-party systems.
•Education and Awareness: The Company provides regular, mandatory cybersecurity training for all personnel as a means to equip the Company’s workforce with effective tools to recognize, address and communicate potential or actual threats to the Company’s cybersecurity systems. Moreover, these trainings also allow Company personnel to remain up-to-date with evolving information security policies, standards, processes and best practices.
The Company engages in the periodic assessment and testing of the Company’s policies, standards, processes and practices that are designed to address cybersecurity threats and incidents. These efforts include a wide range of activities, including audits, assessments, tabletop exercises, threat modeling, vulnerability testing and other exercises focused on evaluating the
-68-
effectiveness of our cybersecurity measures and planning. The Company has also engaged third parties to perform assessments on our cybersecurity measures, including information security maturity assessments, audits and independent reviews of our information security control environment and operating effectiveness. The results and findings of these exercises are reported to the Audit and Compliance Committee, who in turn updates the Board as appropriate. Management will then evaluate such findings and, with input from the Audit and Compliance Committee, take the appropriate steps to adjust the Company’s cybersecurity policies, standards, processes and practices, as may be applicable, to strengthen or address any weaknesses, gaps or findings as the case may be.
As of the date of this Annual Report on Form 10-K, we are not aware of any risks from the cybersecurity threats that have materially affected or are reasonably likely to materially affect us, including our business strategy, results of operations and financial condition.
Governance
The Board has delegated their oversight of cybersecurity to the Company’s Audit and Compliance Committee which oversees the entire ERMP process. As detailed above, cybersecurity is a standing agenda topic for the Audit and Compliance Committee which receives regular presentations and reports from the Company’s CIO on cybersecurity risks, detection protocols, disaster recovery readiness, the threat environment, recent developments in the cybersecurity space (including known incidents affecting the Company or key Company suppliers), evolving standards, vulnerability assessments, third-party and independent reviews, technological trends and information security considerations arising with respect to the Company’s peers and third parties. Under the current cybersecurity framework, the Audit and Compliance Committee receives prompt and timely information regarding any cybersecurity incident that meets established reporting thresholds, as well as ongoing updates regarding any such incident. The Audit and Compliance Committee will keep the full board informed, as may be appropriate, until any such threat has been addressed to their satisfaction. Additionally, cybersecurity is also a standing agenda topic for the Global Risk Committee, with periodic updates to the Executive Committee and Senior Leadership Team.
The CIO, in coordination with the Chief Executive Officer, Chief Financial Officer, Chief Compliance Officer, Chief Legal Officer, and Chief People Officer works collaboratively across the Company to implement a program designed to protect the Company’s information systems from cybersecurity threats and to promptly respond to any cybersecurity incidents in accordance with the Company’s incident response and recovery plans. To facilitate the success of the Company’s cybersecurity risk management program, multidisciplinary teams throughout the Company are deployed to address cybersecurity threats and to respond to cybersecurity incidents. The CIO has served in various leadership roles in information technology and information security for over 24 years, including serving as the vice president of information technology, with direct responsibility over the cyber security program, for a large publicly-traded company and as the chief information security officer of several large healthcare organizations. The CIO holds a Certified Information Systems Security Professional certification, an undergraduate degree in engineering, an MBA and a PhD in engineering.