Celldex Therapeutics, Inc. - (CLDX)
10-K Filing Date: February 26, 2024
Cybersecurity Risk Management and Strategy
To effectively prevent, detect and respond to cybersecurity threats, we maintain a cyber risk management program under the responsibility of the head of the Information Technology (“IT”) function. Management and administration of cybersecurity systems and activities are primarily outsourced to consultants who have cross-functional expertise in cyber security and who perform the work under the supervision of the IT head. Our IT head, in turn reports to the Senior Vice-President and General Counsel who is responsible for and knowledgeable of legal and contractual cybersecurity risk for the organization. The program is comprised of policies, standards, architecture, and processes, which are reviewed and updated on a periodic basis. The program leverages a multilayered approach of utilizing different practices, technologies, vendors or techniques without an overreliance on a single vendor. We engage with consultants to help develop and evidence the policies, standards, and processes in a manner consistent with applicable legal requirements, and also evaluate and adopt cybersecurity software from reputable vendors in cybersecurity, some that provide software as a service solutions backed by a Security Operations Center. We also engage separate third parties to provide penetration testing, risk consulting, cybersecurity incident assessment and forensics, as necessary and in addition to IT’s internal risk assessment processes. We work with many companies that provide hosted software or support for software systems. It is important for these
50
companies to also have effective cybersecurity measures to protect data and systems. We have a self-attestation form to assess cybersecurity readiness that is sent to select vendors based on a risk assessment. For certain vendors, we request System and Organization Controls (SOC) reports or similar documents to provide assurance that the vendors have audited practices or practices in keeping with our legal requirements even if SOC audit documentation does not exist. We have also engaged legal counsel to advise on cybersecurity matters and we have developed an escalation protocol to report cybersecurity incidents as legally required. No material cybersecurity incidents have occurred to date.
The program also includes training that reinforces our policies, standards, and practices, as well as the expectation that employees comply with these policies. The training engages personnel on how to identify potential cybersecurity risks and protect our resources and information. This training is mandatory for all employees on a periodic basis, and it is supplemented by testing initiatives, including periodic phishing tests. We maintain a cybersecurity risk insurance policy.
Governance; Board Oversight
Our Audit Committee is responsible for reviewing our information security programs, including cybersecurity. IT provides regular updates to the Audit Committee on our IT security strategy, secure score assessments, penetration testing results, and status of risk mitigation activities, where applicable. IT also notifies the Audit Committee and Executive Committee of any cybersecurity incidents (suspected or actual) and provides updates on the incidents as well as cybersecurity risk mitigation activities, as appropriate.