MYRIAD GENETICS INC - (MYGN)
10-K Filing Date: February 28, 2024
Item 1C. CYBERSECURITY
Cybersecurity Risk Management and Strategy
We recognize the critical importance of maintaining the trust and confidence of patients, business partners, payors, clinical trial participants, and employees toward our business and are committed to protecting the confidentiality, integrity and availability of our business operations and systems. Our Board of Directors is actively involved in oversight of our risk management activities, and cybersecurity represents an important element of our overall approach to risk management. In general, we seek to address cybersecurity risks through a comprehensive, cross-functional approach that is focused on preserving the confidentiality, security, and availability of the information that we collect and store by identifying, preventing, and mitigating cybersecurity threats and effectively responding to cybersecurity incidents when they occur. We generally follow the HITRUST Common Security Framework in our cybersecurity policies, standards, processes, and practices.
To identify and assess material risks from cybersecurity threats, we maintain a cybersecurity risk management program that includes the identification, prioritization, and management of technical and non-technical risk to the confidentiality, integrity, or availability of patient, employee, clinical trial participant, payor, business partner, and company information. This program considers the risks associated with our industry and the technical and regulatory requirements related to the information systems and data involved. We consider risks from cybersecurity threats alongside other company risks as part of our overall risk assessment process.
We have developed policies, standards, processes, and practices designed to protect our information systems and data from unauthorized access, cybersecurity attacks and other security incidents. The policies, standards, processes, and practices are implemented and enforced by dedicated IT and cybersecurity professionals. We utilize a variety of control measures and cybersecurity technologies that are designed to protect our availability of critical information systems and data, maintain regulatory compliance, assess, identify, and manage our material risks from cybersecurity threats, and protect against and respond to security incidents.
56
These controls and processes are reviewed periodically and include the following activities:
•we monitor emerging data protection laws and implement changes to our processes that are designed to comply with such laws;
•through our policies, practices, and contracts (as applicable), we require employees, as well as third parties that provide services on our behalf, to treat confidential information and data with care;
•we utilize technical safeguards that are designed to protect our information systems from cybersecurity threats, including firewalls, virtual private networks (VPN), Web Application Firewalls (WAF), intrusion detection systems, antivirus and endpoint detection and response software, multi-factor authentication (MFA), data encryption, encrypted backups, vulnerability scanning and patching, email anti-phishing technology, malicious URL and IP filtering, application controls, USB control and threat intelligence services;
•our cybersecurity personnel include certified security professionals who are experienced in networks, computer systems, cloud cybersecurity, cybersecurity risk management, incident response, and security awareness training;
•we regularly test and monitor our cybersecurity defenses to ensure that they are effective; and
•we also conduct security awareness training for all employees to help them identify and mitigate cybersecurity risks.
We describe whether and how risks from identified cybersecurity threats, including as a result of any previous cybersecurity incidents, have materially affected or are reasonably likely to materially affect us, including our business strategy, results of operations, or financial condition, under the heading “Security breaches, loss of data and other disruptions, including from cyberattacks, could compromise sensitive information related to our business, prevent us from accessing critical information or expose us to liability, which could adversely affect our business and our reputation” which disclosures are incorporated by reference herein.
We did not experience any material cybersecurity incidents during the last fiscal year.
We have an incident response plan and processes in place for responding to cybersecurity incidents. The process includes steps to identify, contain, investigate, and remediate the impacts of the incident, as well as to comply with potentially applicable legal obligations and mitigate damage to our business and reputation. The plan involves the participation of a security incident response team that includes our Chief Legal Officer, our Privacy Officer, and other senior leaders in finance, communication, human resources, and legal. The plan includes procedures to communicate the incident to management and customers as appropriate and to provide information as required to state and federal law enforcement and regulatory bodies.
Our processes also address cybersecurity threat risks associated with our use of third-party service providers, including our suppliers and manufacturers or who have access to patient, payor, business partner, and employee data or our systems. In addition, cybersecurity considerations affect the selection and oversight of our third-party service providers. We perform diligence on third parties that have access to our systems, our data, or our facilities that house such systems or data, and continually monitor cybersecurity threat risks identified through such diligence. Additionally, we generally require those third parties that could introduce significant cybersecurity risk to us to agree by contract to manage their cybersecurity risks in specified ways, and to agree to be subject to cybersecurity audits, which we conduct as appropriate.
Cybersecurity Governance; Management
Role of the Board
Cybersecurity is an important part of our risk management processes and an area of focus for our Board of Directors and management. In general, our Audit and Finance Committee of our Board of Directors has primary responsibility for and oversight over cybersecurity threats and our information security management program and considers specific risks, including, for example, risk associated with our strategic plan and business operations. The Audit and Finance Committee receives regular reports from our Chief Technology Officer and Senior Vice President, Technology - Enterprise IT and Engineering, on, among other things, material cybersecurity threat risks or incidents and developments, assessments of our security program and overall security posture, our incident response plan, and initiatives to strengthen our information security systems and mitigate cybersecurity risks. The Audit and Finance Committee, including Rashmi Kumar, provides insights and guidance to management on cybersecurity related matters. Ms. Kumar, who currently serves as Senior Vice President, Chief Information Officer, of Medtronic plc, is a seasoned technology leader with extensive experience in cybersecurity and information technology matters. Management, along with the chair of the Audit and Finance Committee and Ms. Kumar, regularly report to the Board of Directors on cybersecurity risks and other related matters reviewed by the Audit and Finance Committee.
57
Role of Management
Our cybersecurity risk management and strategy processes, which are discussed in greater detail above, are led by our Chief Technology Officer, who is supported by our leaders in Information Technology, Information Security, and IT Security Compliance. These management team members are informed about and monitor the prevention, mitigation, detection, and remediation of cybersecurity incidents through their management of, and participation in, the cybersecurity risk management and strategy processes described above, including the operation of our incident response plan. As discussed above, our Chief Technology Officer and Senior Vice President, Technology - Enterprise IT and Engineering regularly report to our Audit and Finance Committee about cybersecurity threat risks, among other cybersecurity related matters.