Sarepta Therapeutics, Inc. - (SRPT)

10-K Filing Date: February 28, 2024
Item 1C. Cybersecurity

Program Details

Our information security program is developed using industry standards and best practices as a guide, including the National Institute of Standards and Technology (“NIST”) Cybersecurity Framework. The program includes regular internal evaluations, including annual penetration tests and monthly vulnerability scans, as well as evaluations by external vendor partners in support of our operations model. The results of these evaluations are regularly shared with senior management and the Audit Committee of the Board of Directors (the “Audit Committee”), where appropriate.

We have developed and implemented a cybersecurity risk management program intended to protect the Confidentiality, Integrity, and Availability (CIA) of our critical systems and information.

Our cybersecurity risk management program is integrated into our overall enterprise risk management processes and shares common methodologies, reporting channels and governance processes that apply across the enterprise risk management program to other legal, compliance, strategic, operational, and financial risk areas.

Our cybersecurity risk management program includes:

A layered defense approach with controls deployed that seek to meet the requirements of the NIST Cybersecurity Framework.
Risk assessments designed to help identify material cybersecurity risks to our critical systems, information, products, services, and our broader enterprise IT environment.
A security team principally responsible for managing (a) our cybersecurity risk assessment processes, (b) our security controls, and (c) our response to cybersecurity incidents.
The use of external service providers, where appropriate, to assess, test or otherwise assist with aspects of our security controls as part of our operational security model.
A threat intelligence function that informs our cybersecurity and IT personnel about new vulnerabilities and risks that require timely intervention or remediation.
Cybersecurity awareness training of our employees, incident response personnel, and senior management.
A cybersecurity incident response plan that includes procedures for responding to cybersecurity incidents.
A third-party risk management process for service providers, suppliers, and vendors.

As of the date of this Annual Report, we have not experienced any material cybersecurity incidents, but we cannot provide assurance that we will not be materially affected in the future by such risks or any future material incidents.

Oversight

The Audit Committee oversees our information technology systems and related cybersecurity program. Our cybersecurity program is managed by our dedicated Chief Information Security Officer (CISO), reporting directly to the Company’s Chief Information Officer (the “CIO”), whose team is responsible for leading the Company’s cybersecurity policies and procedures.

-69-


 

Our CIO has over 25 years of experience and has served in a variety of information systems leadership roles in the life sciences industry supporting research and development, commercial sales and marketing, finance, human resources and other corporate functions, and IT architecture, strategy, and planning.

Our CISO has over 20 years of experience, including experience in creating and managing corporate-wide information technology, information/cybersecurity, compliance, privacy, and risk management programs as well as having implemented these initiatives across global organizations.

At least annually, but more often as needed, our CIO provides updates on the program to the Audit Committee. The CIO also provides regular updates to members of the Company’s senior management team regarding cyber risks, threats and assessments and material cybersecurity developments of the Company’s program.

-70-