Vir Biotechnology, Inc. - (VIR)
10-K Filing Date: February 26, 2024
Item 1C. Cybersecurity
Our Board of Directors (the “Board”) and management recognize the importance of maintaining the trust and confidence of our patients, investors, business partners and employees. The Board and our Audit Committee are actively involved in oversight of our cybersecurity program as part of our approach to risk management. Our cybersecurity policies, processes and practices are integrated into our operations and are based on recognized standards such as the National Institute of Standards and Technology Cybersecurity Framework. In general, we seek to address cybersecurity risks through a comprehensive, coordinated approach that is focused on preserving the confidentiality, security, and availability of the information that we create through our business operations by identifying, preventing, and mitigating cybersecurity threats and effectively responding to cybersecurity incidents when they occur.
91
Risk Management and Strategy
As one of the important elements that comprise and has been integrated into our overall enterprise risk management approach, our cybersecurity program includes the following:
Governance: As discussed in more detail below under the heading “Governance,” our Board’s oversight of cybersecurity risk management is supported by the Audit Committee of the Board, which regularly reviews operational risks. Our Chief Information Officer (“CIO”), together with our Head of Information Security (“HIS”), and other members of our management team meet regularly to review current cybersecurity risks. The CIO and management team representatives also meet with the Audit Committee at least on a quarterly basis to discuss and review our cybersecurity program and risk landscape.
Collaborative Approach: We have implemented a cross-functional approach involving all employees to help in identifying, preventing, and mitigating cybersecurity threats and incidents. We have implemented processes that provide for the prompt escalation of known cybersecurity incidents so that decisions regarding the public disclosure and reporting of such incidents can be made by our management team, together with the Audit Committee, in a timely manner.
Technical Safeguards: We deploy technical safeguards designed to protect our information systems from cybersecurity threats, including firewalls, intrusion prevention and detection systems, and access controls. We also employ multi-factor authentication and a managed endpoint detection and response solution for malware. These measures are evaluated and improved through vulnerability assessments and penetration testing completed by third party experts, as well as cybersecurity threat intelligence.
Incident Response and Recovery: We have established and maintain an incident response plan that addresses our response to a cybersecurity incident. This plan is evaluated regularly.
Third-Party Risk Management: We maintain a risk-based approach to identifying and overseeing cybersecurity risks presented by third parties, including vendors, service providers and third-party systems.
Education and Awareness: We provide regular training on cybersecurity threats to equip our personnel with effective tools to address them and to communicate our latest information security policies, processes and practices.
We periodically evaluate and test our policies, standards, processes, and practices to address cybersecurity threats and incidents. These efforts include a wide range of activities, including third party assessments, vulnerability testing, and other exercises focused on evaluating the effectiveness of our cybersecurity measures. The results of such assessments and reviews are reported to our management team, the Audit Committee and the Board, and we adjust our cybersecurity program as necessary based on the information provided by these assessments and reviews.
Governance
Our Board, in coordination with the Audit Committee, oversees our risk management approach, including the management of risks arising from cybersecurity threats. The Board and the Audit Committee each receive regular presentations and reports on cybersecurity risks, which address a wide range of topics including recent developments, evolving standards, vulnerability assessments, third-party and independent expert reviews, the threat environment, technological trends, and any material risks identified with our third parties. The Audit Committee also receives prompt and timely information regarding any significant cybersecurity incidents, as well as ongoing updates regarding any such incidents until they have been remediated. Our CIO, Audit Committee and Board review and discuss our approach to cybersecurity risk on an annual basis.
The HIS and CIO, in coordination with our management team, which includes our Chief Executive Officer (“CEO”), Chief Financial Officer (“CFO”) and General Counsel, work collaboratively to implement a program designed to protect our information systems from cybersecurity threats and to promptly respond to any cybersecurity incidents in accordance with our incident response plan. Through an ongoing process, the HIS monitors the prevention, detection, mitigation, and remediation of cybersecurity threats and incidents in real time, and reports such threats and incidents to the CIO, management team, and when appropriate, the Audit Committee.
92
Selected Management and Director Qualifications
The HIS and CIO have both served in various roles in information technology and information security for many years, including serving in similar roles at other publicly traded companies. The HIS holds several industry accreditations, including being a certified Chief Information Security Officer, and has worked in the information technology field for over 25 years, specializing in Information Security for the last 15 years. The CIO has undergraduate and graduate degrees in technical fields, plus a master’s degree in business administration, and has worked in healthcare information technology for over 20 years. Our CEO, CFO and General Counsel each hold undergraduate and graduate degrees in their respective fields, and each have over 20 years of experience managing risks at Vir and at similarly situated companies, including risks arising from cybersecurity threats. For example, our CFO has been responsible for leading and managing Information Technology departments at three separate publicly traded companies, including our Company, and has leadership experience in business continuity planning in various roles. Additionally, one of our directors formerly served as the United States Secretary of Homeland Security, in which capacity she had ultimate responsibility for the cybersecurity of the critical infrastructure of the United States of America, and as President of the University of California with responsibility for cybersecurity matters related to the university’s various networks.
Risk and Issues Disclosure
We describe the risks we face, including cybersecurity risks, in Section 1A above, titled “Risk Factors”. For the period covered by this Annual Report on Form 10-K, we are unaware of any specific cybersecurity threats that have materially affected the Company, its business strategy, results of operations or financial condition.
93