ARVINAS, INC. - (ARVN)

10-K Filing Date: February 27, 2024
Item 1C. Cybersecurity.
We have processes for assessing, identifying and managing cybersecurity risks, which are built into our information technology function and are designed to provide protection for our information assets and operations from internal and external cyber threats, including protecting employee and patient information from unauthorized access or attack, as well as secure our networks and systems. These processes include physical, procedural and technical safeguards, response plans, regular tests on our systems, incident simulations and routine reviews of our policies and procedures to identify risks and enhance our practices. As part of our overall risk mitigation strategy, we also maintain cyber insurance coverage; however, such insurance may not be sufficient in type or amount to cover us against claims related to security breaches, cyber-attacks and other related breaches. We have engaged external parties, including consultants, computer security firms and risk management, and governance experts, to enhance our cybersecurity oversight. We also employ processes to identify material risks from cybersecurity threats associated with our use of third-party service providers.
The Company does not believe there are currently any known risks from cybersecurity threats that are reasonably likely to materially affect us or our business strategy, results of operations, or financial condition.
Our Audit Committee of our Board of Directors, or the Audit Committee, provides direct cybersecurity risk oversight, and provides regular updates to the Board of Directors regarding such oversight. The Audit Committee receives quarterly updates from management and the Cybersecurity Board, as discussed in further detail below, regarding cybersecurity matters, and is notified between such updates regarding significant new cybersecurity threats or incidents.
We have a cross-functional Cybersecurity Board led by our Vice President of Information Technology & Corporate Projects serving as the chair and consisting of executive-level and non-executive level leaders, including among others, our Chief Financial Officer. This board is responsible for reviewing, engaging and making decisions related to the execution and continuous improvement of cybersecurity strategy, processes and governance impacting our information systems, employees, partners and patients. Our Vice President of Information Technology & Corporate Projects leads the operational oversight of company-wide cybersecurity strategy, policy, standards and processes and works across relevant departments to assess and help prepare us and our employees to address cybersecurity risks. Our Vice President of Information Technology & Corporate Projects is an experienced senior leader with more than 20 years of experience in information technology within the pharmaceutical industry leading a team of employee and consultants with a breadth of experience including security management experience along with CISSP certification.
In an effort to deter and detect cyber threats, we periodically provide our workforce, including all employees and contingent staff, with a privacy, data protection, cybersecurity and incident response, and prevention education and awareness program, which includes annual and supplemental training covering timely and relevant topics, such as social engineering, phishing, password protection, confidential data protection, asset use, and mobile security, and educates employees on the importance of reporting all incidents immediately. In addition, we perform monthly phishing test campaigns to reinforce identification and reporting training. We also use technology-based tools to mitigate cybersecurity risks and to bolster our employee-based cybersecurity programs. Lastly, we perform annual vulnerability assessments, conducted by independent, third-party cybersecurity firms.
121