Alector, Inc. - (ALEC)

10-K Filing Date: February 27, 2024
Item 1C. Cybersecurity.

Risk Management and Strategy

We have established policies and processes for assessing, identifying, and managing material risk from cybersecurity threats, using widely recognized industry frameworks. We use risk management strategies that focus on vital areas such as data protection, access control, incident response, and vulnerability management, and we have integrated these processes into our overall risk management program. We routinely assess risks from cybersecurity threats, including any potential unauthorized occurrence on or conducted through our information systems that may result in adverse effects on the confidentiality, integrity, or availability of our information systems or any information residing therein.

We have implemented a multi-faceted cybersecurity program in accordance with globally recognized standards to protect the confidentiality, integrity, and availability of our information assets. The primary aims of this program are to devise, initiate, and maintain a cybersecurity approach that safeguards our systems, services, and data from unauthorized access, outages, exposure, modification, damage, and loss.

We have implemented a range of logical and technical controls to appropriately restrict physical and logical access. We maintain authentication controls in line with industry-recognized standards, including audit trails and logs for access. Access privileges are updated following any change in personnel or system, and are reviewed periodically, with the frequency determined by the associated risk of the application or system.

We engage the expertise of third-party organizations to assist us to design and implement our cybersecurity procedures, as well as to monitor and test our safeguards in the context of recognized industry standards and practices. This process aims to confirm that our security infrastructure is robust and efficient, and that it is designed to resist diverse security threats. We use the critical insights gained from these third-party assessments to continue to improve our security controls and protect our systems and data.

We evaluate potential cybersecurity risks associated with third-party service providers, including through a periodic vendor security review process overseen by our Head of Cybersecurity.

We have not encountered any cybersecurity threats or incidents to date that have materially affected, or that are reasonably likely to materially affect, our business, strategy, results of operations or financial condition. For additional information regarding cybersecurity risks and their potential impacts on our company, including our business strategy, results of operations, or financial condition, please refer to Item 1A, “Risk Factors,” in this annual report on Form 10-K.

Governance

Our Vice President, Technology and Digital Health, serves as our Head of Cybersecurity and is responsible for developing and executing our cybersecurity strategy and program. We also maintain a team of cybersecurity professionals who are responsible for security operations and report to the Head of Cybersecurity, who has more than 20 years’ experience in cybersecurity and information technology infrastructure and operations.

Our Head of Cybersecurity is regularly informed about developments in cybersecurity, including potential threats and innovative risk management techniques in the interest of effective prevention, detection, mitigation, and remediation of cybersecurity incidents. The Head of Cybersecurity oversees the processes for monitoring our information systems, including periodic system audits to identify potential vulnerabilities and third-party audits and evaluations. In the event of a cybersecurity incident, the Head of Cybersecurity implements an incident response plan. This plan includes immediate actions to mitigate the impact of incidents and strategies for remediation of future incidents. The Head of Cybersecurity is responsible for reporting information about cybersecurity risks and incidents to our Chief Financial Officer and other members of executive management.

Our board of directors oversees our enterprise risk management, including our management of cybersecurity risks. The audit committee of our board of directors has primary responsibility for the oversight of risks from cybersecurity threats. The Head of Cybersecurity, or a delegate, provides quarterly reports to the audit committee on the effectiveness and overall status of our cybersecurity program, and is responsible for reporting to the audit committee information about our company’s cybersecurity risks and activities, including any recent cybersecurity incidents and related responses.

97