REGENXBIO Inc. - (RGNX)
10-K Filing Date: February 27, 2024
We regularly assess risks from cybersecurity threats; monitor our information systems for potential vulnerabilities; and test those systems pursuant to our cybersecurity policies, processes and practices. To protect our information systems from cybersecurity threats, we use various security tools that are designed to help identify, escalate, investigate, resolve and recover from security incidents in a timely manner. We require annual information security training to be completed by our employees, and we maintain a limited cybersecurity liability insurance policy.
62
Our Senior Vice President of Information Technology (SVP, IT) is responsible for the establishment and maintenance of our cybersecurity program, as well as the assessment and management of cybersecurity risks. Our current SVP, IT has over 25 years of experience in information technology and possesses the requisite education, skills and experience expected of an individual assigned to these duties. We also engage third-party consultants and auditors to assess the effectiveness of our cybersecurity prevention and response systems and processes. Where applicable, third-party service providers are contractually obligated to notify us of material incidents arising from cybersecurity events within their purview.
We identify, assess and manage material risks from cybersecurity threats by following written policies and procedures, which are in compliance with the International Organization for Standardization (ISO) 27001 Information Security Management System. The output of this process is then integrated with our enterprise risk management (ERM) program. The ERM program is managed by our Chief Operating Officer (COO), with input from various representatives across our business operations, and is used to assess risks to our business based on their potential likelihood and magnitude of impact. Our information technology organization provides the inputs to our ERM process related to material cybersecurity risks and mitigation plans. The information technology team is responsible for the prevention, detection, mitigation and remediation of cybersecurity incidents. Cybersecurity incidents are documented and triaged in accordance with a defined process. Incidents deemed to be significant are escalated to the Audit Committee of our Board of Directors after appropriate assessment by the information technology organization and other internal stakeholders. In the event an incident highlights an emerging or previously unidentified cybersecurity risk, such risk is then synthesized into the ERM process.
The Audit Committee of our Board of Directors oversees our ERM program and is apprised of material risks arising from cybersecurity threats impacting our business. The COO provides quarterly reporting on our material enterprise risks to the Audit Committee. In addition to material risks identified by the ERM process, our information technology management provides periodic reporting, at least semi-annually, on our cybersecurity risk profile and risk mitigation strategies to the Audit Committee. This reporting is also made available to the full Board of Directors.
In the last three years, we have not identified any cybersecurity incidents which have materially affected, or are reasonably likely to materially affect, our business. For further information regarding cybersecurity risks, please refer to “Risk Factors – Risks Related to Our Business Operations” and other risks described in the “Risk Factors” section of this Annual Report on Form 10-K.