Arcellx, Inc. - (ACLX)

10-K Filing Date: February 28, 2024
Item 1C. Cybersecurity.

Risk Management and Strategy

We have established policies and processes for assessing, identifying, and managing material risk from cybersecurity threats, and have integrated these processes into our overall risk management systems and processes. This program includes:

Robust Firewalls and Intrusion Detection Systems: The company has invested in state-of-the-art firewalls and intrusion detection systems to prevent unauthorized access to its networks.
Regular Security Assessments: The company conducts regular security assessments to identify vulnerabilities and address them promptly. This includes penetration testing, vulnerability scanning, and third-party audits.
Employee Training and Awareness: The company provides comprehensive cybersecurity training to all employees to educate them about potential risks, phishing attacks, and best practices for protecting sensitive information.
Incident Response Plan: The company has developed an incident response plan that outlines the steps to be taken in the event of a cybersecurity breach. This includes isolating affected systems, investigating the breach, and notifying relevant stakeholders.
Cyber Insurance: The company has obtained cyber insurance coverage to mitigate the financial impact of a cybersecurity breach. This insurance policy covers expenses related to incident response, legal fees, and potential customer compensation.

By implementing these risk management strategies, the company aims to minimize the likelihood and impact of a cybersecurity breach, thereby safeguarding its assets and maintaining the trust of its stakeholders.

We routinely assess material risks from cybersecurity threats, including any potential unauthorized occurrence on or conducted through our information systems that may result in adverse effects on the confidentiality, integrity, or availability of our information systems or any information residing therein.

We conduct periodic risk assessments to identify cybersecurity threats, as well as assessments in the event of a material change in our business practices that may affect information systems that are vulnerable to such cybersecurity threats. These risk assessments include identification of reasonably foreseeable internal and external risks, the likelihood and potential damage that could result from such risks, and the sufficiency of existing policies, procedures, systems, and safeguards in place to manage such risks.

Following these risk assessments, we re-design, implement, and maintain reasonable safeguards to minimize identified risks; reasonably address any identified gaps in existing safeguards; and regularly monitor the effectiveness of our safeguards. We devote significant resources and designate high-level personnel, including our Director of Information Technology who reports to our Chief Financial Officer, to manage the risk assessment and mitigation process.

As part of our overall risk management system, we monitor and test our safeguards and train our employees on these safeguards, in collaboration with human resources, IT, and management. Personnel at all levels and departments are made aware of our cybersecurity policies through trainings.

We engage assessors, consultants or other third parties in connection with our risk assessment processes. These service providers assist us to design and implement our cybersecurity policies and procedures, as well as to monitor and test our safeguards. To oversee and identify risks from cybersecurity threats associated with our use of third-party service providers, we require each third-party service provider to certify that it has the ability to implement and maintain appropriate security measures, consistent with all applicable laws, to implement and maintain reasonable security measures in connection with their work with us, and to promptly report any suspected breach of its security measures that may affect our company.

106


 

For additional information regarding whether any risks from cybersecurity threats, including as a result of any previous cybersecurity incidents, have materially affected or are reasonably likely to materially affect our company, including our business strategy, results of operations, or financial condition, please refer to Item 1A, “Risk Factors,” in this annual report on Form 10-K.

Governance

One of the key functions of our board of directors is informed oversight of our risk management process, including risks from cybersecurity threats. Our board of directors is responsible for monitoring and assessing strategic risk exposure, and our executive officers are responsible for the day-to-day management of the material risks we face. Our board of directors administers its cybersecurity risk oversight function primarily through the audit committee.

Our Director of Information Technology and members of our cybersecurity committee (a management committee), which includes legal and privacy representatives, are primarily responsible to assess and manage our material risks from cybersecurity threats with assistance from third-party service providers. Our Director of Information Technology has expertise in security frameworks and standards (NIST), proficiency in security tools such as Security Information and Event Management) systems, Intrusion Detection Systems (IDS) and vulnerability scanners, and has experience with threat intelligence, threat modeling, risk assessment, and risk management practices as well as analyzing logs, investigating security incidents, and performing forensic analysis.

Our Director of Information Technology and members of our cybersecurity committee oversee our cybersecurity policies and processes, including those described in “Risk Management and Strategy” above. The processes by which our Director of Information Technology and members of our cybersecurity committee are informed about and monitor the prevention, detection, mitigation, and remediation of cybersecurity incidents includes the following: Security Awareness Training, Patch Management Process, Endpoint Detection and Response, Managed Detection and Response, Incident Response Plan, Data Encryption, Access Control, Network Security, Vulnerability Management.

Our Director of Information Technology, Controller and members of our cybersecurity committee provide quarterly briefings to the audit committee regarding our company’s cybersecurity risks and activities, including any recent cybersecurity incidents and related responses, cybersecurity systems testing, activities of third parties, and the like.