BeiGene, Ltd. - (BGNE)

10-K Filing Date: February 26, 2024
Item 1C. Cybersecurity
We recognize the importance of safeguarding the security of our computer systems, software, networks, and other technology assets. Our security efforts are aimed at preserving the confidentiality, integrity, and continued availability of information under our ownership or care with the aim to continually improve security features in order to keep pace with the evolving cyber threat landscape.
Overview of Cybersecurity Risk Management and Strategy
Our cybersecurity risk identification, assessment and management process is a critical part of our overall enterprise risk management (“ERM”) system. Within our ERM system, we adhere to our Information Security Management Policy (“ISM Policy”) which is aimed at providing guidelines to monitor, review and continually improve our Information Security Management System (“ISMS”). Our ISMS is informed by ISO/IEC 27001:2013 standards and is operated based on an action model that identifies information security missions and objectives, including improvement measures to achieve continuous optimization. Our Cybersecurity Incident Response Plan (“CIRP”) is a critical component of our cybersecurity risk identification and management process, which, along with our incident response team, is designed to guide our response to potential cybersecurity incidents effectively and efficiently. Our ISM Policy, ISMS and CIRP are all internal tools we use to assess, identify and manage material risks from cybersecurity threats.
We also utilize external partnerships to help protect the Company from cybersecurity threats. This combination of people, processes and technology assist us to proactively manage and mitigate threats to our information technology environment. We have controls in place to defend against risks associated with cyber-attacks impacting our operations, compliance and financial reporting objectives. We are externally audited and certified under the ISO 27001 and assessed according to National Institute of Standards and Technology (“NIST”) guidelines. Our external partners also evaluate our cybersecurity maturity and coverage as part of their services and keep us informed of emerging global threats.
We conduct a Testing, Training & Exercise program to test, sustain and refine our ability to respond to cybersecurity incidents in accordance with the best practices. We also maintain an information security training program for our employees.
Our Third-Party Security Management Standard provides a framework for managing third-party information security risks and defines controls to minimize risks to the Company. It applies to third parties who have access to or process Company information. This framework includes processes for conducting, as appropriate, due diligence, risk assessment and planning, contract management, access control, ongoing monitoring, and possible service termination of, or changes to the third-party as part of the selection and management process.
Although risks from cybersecurity threats have to date not materially affected us, our business strategy, results of operations or financial condition, like other companies, we and our third-party vendors have on occasion experienced, and will continue to experience, threats to our or their data and systems.
Board Oversight of Risks from Cybersecurity Threats
The Board of Directors (“Board”) oversees risk management related to the operation of the business and corporate functions as well as the implementation of business strategy. Our Board has delegated to the Audit Committee oversight of risk management, which includes risks from cybersecurity threats. We routinely review critical elements of our cybersecurity policies and program with the Audit Committee.
The management team – including our Senior Director, Global Information Security – provides periodic reports to the Audit Committee which cover cybersecurity and other information technology risks affecting the Company. Such reports are typically provided at an Audit Committee meeting and enable Audit Committee members to ask questions of management and engage in additional discussions in an open forum. The Audit Committee also periodically evaluates our overall cybersecurity strategy.
113

Management’s Role in Assessing and Managing Material Risks from Cybersecurity Threats
Our Information Security Steering Committee (“ISSC”) is responsible for oversight of matters related to information security and currently consists of professionals in legal operations and risk management, information governance, human resources operations, internal audit, computerized systems, global security and technical operations, and research technology, all whose input bring significant value when assessing and managing cybersecurity risk. Our ISSC meets periodically and is presented with an update on cybersecurity matters from our Senior Director, Global Information Security. Our Senior Director, Global Information Security is responsible for facilitating the implementation of the plans and decisions made by the ISSC and directly provides updates to the Audit Committee as detailed above.
Our Senior Director, Global Information Security and our Vice President of Global Technology Solutions head our Global Technology Solutions Team which is responsible for leading the individuals tasked with maintaining our enterprise-wide cyber resilience strategy, policy, standards, architecture, and processes. Our Senior Director of Global Information Security has over eighteen years of information technology and cybersecurity experience in multiple industries, including building and leading governance, risk, and compliance functions that cover ISO 27001 certified compliance, NIST Cybersecurity Framework assessments, Sarbanes-Oxley (“SOX”) information technology compliance, regional compliances, policy management, information technology risk management, vendor risk management, and security awareness. Our Vice President of Global Technology Solutions has over twenty years of experience leading technology organization and managing information security across multiple industries, including SOX 404 compliance, GxP audit and compliance, NIST Cybersecurity Framework assessments, managing incident response and communication with executives and board of directors.