BIOCRYST PHARMACEUTICALS INC - (BCRX)
10-K Filing Date: February 27, 2024
ITEM 1C. CYBERSECURITY
We maintain a cybersecurity program that is reasonably designed to assess, identify, and manage risks from cybersecurity threats that may result in material adverse effects on the confidentiality, integrity, and availability of our information systems.
Governance
Board of Directors
Our Board of Directors, directly and through its committees, oversees the Company’s risk management function. The Board of Directors has delegated the primary responsibility to oversee cybersecurity matters to the Audit Committee. The Audit Committee reviews the measures implemented by the Company to identify and mitigate data protection and cybersecurity risks. As part of such reviews, the Audit Committee regularly receives reports and presentations from members of our Cybersecurity Steering Committee as appropriate, with a minimum frequency of once per year. These reports and presentations address a wide range of topics including recent developments, status of ongoing and planned cybersecurity initiatives and strategies, evolving standards, vulnerability assessments, third-party and independent reviews, the threat environment, security spend, technological trends and information security considerations arising with respect to the Company’s peers and third parties. The Audit Committee reports to the Board of Directors on data protection and cybersecurity matters. We have protocols by which certain cybersecurity incidents are escalated within the Company and, where appropriate, reported to the Audit Committee, as well as ongoing updates regarding any such incident until it has been addressed.
Management
At the management level, the Chief Financial Officer and Chief Legal Officer attend meetings of the Company’s Cybersecurity Steering Committee (discussed further below) to receive reports on ongoing cybersecurity matters. This ensures that management is involved in an ongoing dialogue regarding the Company’s material risks from cybersecurity threats. In addition, members of the Cybersecurity Steering Committee provide updates on the Company’s cybersecurity control and risk posture and the status of ongoing and planned cybersecurity initiatives and strategies to the Company’s senior management team on an annual basis.
Cybersecurity Steering Committee
The Company has implemented a broad spectrum cross-functional approach to assessing, identifying, and managing risks from cybersecurity threats. Our Cybersecurity Steering Committee has broad oversight of the Company’s cybersecurity risk management processes. The Cybersecurity Steering Committee is composed of the Company’s Chief Financial Officer, Chief Legal Officer, Senior Vice President, Information Technology, senior cybersecurity professionals,
57
members of the finance and legal departments, and other individuals invited as appropriate on an ad hoc basis. On at least a quarterly basis, the Cybersecurity Steering Committee meets to discuss recent cybersecurity events or threats, status of ongoing and planned cybersecurity initiatives and strategies, external cybersecurity trends, and risk management measures implemented by the Company to identify and mitigate data protection and cybersecurity risks, among other topics. In addition to the scheduled meetings, the Cybersecurity Steering Committee is informed of potentially material cybersecurity events as they arise.
Within the Cybersecurity Steering Committee, our virtual Chief Information Security Officer (vCISO) and our Senior Manager, Security Engineering are primarily responsible for assessing, monitoring, and managing our cybersecurity risks. Our vCISO is a seasoned cyber consultant providing CISO-level advisory services to the Company and reports to the Senior Vice President, Information Technology, who is directly managed by the Chief Financial Officer. He has held CISO positions in several Fortune-500 companies across multiple industry sectors, has worked in information security for over 23 years, is a Certified Information Systems Security Professional (CISSP), and has extensive experience with multiple commercial and government security frameworks. He leads the Company’s information security program and sets the strategic direction for, and establishes and governs the structure of, the program.
Our Senior Manager, Security Engineering is managed by the Company’s Executive Director, IT Infrastructure & Operations, who directly reports to the Senior Vice President, Information Technology. He has over 38 years of experience in information security and data privacy and has CISSP and Cisco Certified Network Associate (CCNA) certifications. He implements and oversees processes for the regular monitoring of our information systems and detection of cybersecurity vulnerabilities.
The Cybersecurity Steering Committee also works closely with members of the legal department to oversee compliance with legal and regulatory security requirements. In addition, the Cybersecurity Steering Committee has implemented controls and procedures that provide for the prompt escalation of certain cybersecurity incidents so that decisions regarding the public disclosure and reporting of such incidents can be made by management in a timely manner.
Risk Management and Strategy
Cybersecurity Program
The Company’s cybersecurity program leverages the National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF) for governance and program management and refers to the Center for Internet Security (CIS) guidelines when reviewing the Company’s security controls posture. The Company uses certain advanced security measures, regular system audits, third party monitoring tools, and ongoing intelligence gathering on the latest developments in cybersecurity to identify, assess, and manage potential vulnerabilities and risks. In addition, the Company engages third parties to assist with assessing, identifying and managing material risks from cybersecurity threats. Once the relevant material risks have been identified, the Company implements controls and processes to help manage these risks, including conducting tabletop exercises to simulate response to a cybersecurity incident, regular testing (e.g., penetration tests, vulnerability scanning) and control gap analyses and assessments designed to confirm appropriate security controls are in place and are maintaining functionality in accordance with the established policies.
We also employ systems and processes designed to oversee, identify, and reduce the potential impact of cybersecurity threats associated with any third-party vendor, service provider or customer or otherwise implicating the third-party technology and systems we use.
Our cybersecurity program is integrated into the Company’s overall risk management framework to help identify, assess, educate, and manage the Company’s cybersecurity risk. Our Board of Directors and the Audit Committee, in its role assisting the Board of Directors in its oversight of the Company’s risk management function, consider cybersecurity threat risks alongside other Company risks as part of our overall risk assessment.
Incident Response
The Company has adopted a technology incident response plan (IRP) applicable to all Company employees and contractors, which sets forth the process for responding to and documenting data and information technology-related incidents such as security breaches, system failures, data loss, and service interruption. The IRP provides a standardized framework for investigating, containing, documenting and mitigating cybersecurity incidents, including reporting findings
58
and keeping senior management and other key stakeholders informed and involved as appropriate. The Company’s employees are required to review the IRP and undergo additional cybersecurity training on a regular basis.
Material Cybersecurity Risk, Threats & Incidents
As detailed elsewhere in this report, we rely on information technology systems and third-party providers to operate our business. Despite ongoing efforts to continually improve our and our third-party providers’ ability to protect against cyber incidents, our networks and infrastructure may be vulnerable to cyberattacks or intrusions, which could result in a violation of applicable privacy and other laws, significant legal and financial exposure, damage to our reputation, loss or misuse of the information or a loss of confidence in our data security measures, among other consequences. While we have not experienced any material cybersecurity threats or incidents, there can be no guarantee that we will not be the subject of future successful attacks, threats, or incidents. See “Risk Factors—Risks Relating to Our Business—Risks Relating to Technology—Cyber incidents and related disruptions in our or our third-party vendors’ information technology systems could adversely affect our business” in Part I, Item IA of this report for additional information on cybersecurity risks we face, which should be read together with the foregoing information.