GERON CORP - (GERN)

10-K Filing Date: February 28, 2024
ITEM 1C. CYBERSECURITY

 

Risk management and strategy

 

We operate in the biopharmaceutical sector, which is a highly regulated sector subject to various cybersecurity risks that could adversely affect our business, financial condition, and results of operations, including intellectual property theft; fraud; extortion; harm to employees or customers; disruption of our clinical trials, manufacturing or supply chain; violation of privacy laws and other litigation and legal risk; and reputational risk. We rely primarily on industry-leading third parties and a cloud-based infrastructure for our information technology systems, and accordingly are dependent on these third parties’ own cybersecurity risk management practices and strategy. We have implemented and maintain various information security processes designed to identify, assess and manage material risks from cybersecurity threats to our critical computer networks, third party hosted services, communications systems, hardware and software, and our critical data, including clinical trial data, intellectual property, confidential information that is proprietary, strategic, financial or competitive in nature, and personal data (“Information Systems and Data”).

 

We take a risk-based approach to identify and assess the cybersecurity threats and risks that could affect our business and Information Systems and Data. Our Information Technology personnel help identify, assess and manage our cybersecurity threats and risks, and support our efforts to identify and assess risks from cybersecurity threats by monitoring and evaluating our threat environment. We use various methods and tools to identify, assess and manage cybersecurity threats and risks, including, for example, automated tools, industry reports, third party threat assessments and penetration testing. In addition, we encrypt data at rest and maintain network security controls, such as firewalls and virtual private networks. We also conduct computerized system monitoring and access control, including asset management, tracking and disposal associated with onboarding and offboarding of personnel. We maintain cybersecurity insurance.

 

Depending on the environment, we implement and maintain various technical, physical, and organizational measures, processes, standards and policies designed to manage and mitigate material risks from cybersecurity threats to our Information Systems and Data. For example, we have implemented and maintain an incident response plan, and we utilize automated tools designed to maintain email security. We have also implemented a computerized system security and password policy that defines security for access to computer systems managed and controlled by us, and a procedure for computerized system incident management to address any unplanned issues in regulated computerized systems that could impact subject safety, product quality, and data integrity. We periodically conduct cybersecurity incident tabletop training exercises involving our personnel and plan to conduct similar training in 2024.

Our assessment and management of material risks from cybersecurity threats are integrated into our overall risk management processes. For example, our head of Information Technology evaluates material risks from cybersecurity threats and reports periodically to our Audit Committee, which evaluates our overall enterprise risk. We use third-party service providers to assist us from time to time to identify, assess, and manage material risks from cybersecurity threats, including, for example, cybersecurity software providers such as Crowdstrike, cybersecurity service providers such as Mimecast, penetration testing firms, auditors, and professional services firms, including legal counsel. These relationships enable us to leverage specialized knowledge and insights, enabling our cybersecurity strategies and processes to remain consistent with industry best practices.

 

We rely on third-party service providers to perform a variety of functions throughout our business, such as contract manufacturing organizations, contract research organizations, suppliers and consultants. If we successfully obtain regulatory approval to commercialize imetelstat, we will rely on third party logistics organizations and distributors to distribute imetelstat. We conduct quality audits of regulated vendors, which typically include an assessment of such vendor’s information technology systems, and we impose appropriate contractual obligations on vendors pertaining to information security. Depending on the nature of the services provided, the sensitivity of the Information Systems and Data at issue, and the identity of the provider, our efforts may involve different levels of assessment designed to help identify cybersecurity risks associated with a provider and impose contractual obligations related to cybersecurity on the provider.

 

We have not encountered cybersecurity challenges that have materially impaired our business, operations or financial standing.

69


 

 

For a description of the risks from cybersecurity threats that may materially affect us and how they may do so, see our risk factors under Part 1. Item 1A. Risk Factors in this Annual Report on Form 10-K, including “Risks Related to Information Technology Systems, Data Security and Data Privacy.

 

Governance

 

Our Board of Directors addresses our cybersecurity risk management as part of its general oversight function. The Audit Committee of our Board is responsible for overseeing our cybersecurity risk management processes, including oversight and mitigation of risks from cybersecurity threats.

 

Our Audit Committee, as well as our Chief Financial Officer, Chief Legal Officer, and other members of our executive management as appropriate, receives periodic reports from our head of Information Technology concerning our significant cybersecurity threats and risk and the processes we have implemented to address them. The Audit Committee also receives various periodic presentations related to cybersecurity threats, risk and mitigation.

Risk Management Personnel

 

Our Information Technology personnel responsible for cybersecurity risk assessment and management processes are managed by certain members of our executive management, including our Chief Financial Officer. Together with our executive management, our Information Technology personnel are responsible for hiring appropriate personnel, helping to integrate cybersecurity risk considerations into our overall risk management strategy, and communicating key priorities to relevant personnel. We seek to hire information technology personnel with skills appropriate to help us prepare for cybersecurity incidents, approve cybersecurity processes, and review security assessments and other security-related reports.

 

Our cybersecurity incident response plan is designed to escalate certain cybersecurity incidents to members of management depending on the circumstances, including executive management. When appropriate given the nature of any potential cybersecurity incident, our executive management works with our incident response team to help us mitigate and remediate cybersecurity incidents of which they are notified, and to make any legally required notifications to individuals or regulatory agencies, including making any required disclosures under the Securities Exchange Act of 1934, as amended.