GeneDx Holdings Corp. - (WGS)

10-K Filing Date: February 23, 2024
Item 1C. Cybersecurity
Our board of directors recognizes the critical importance of maintaining the trust and confidence of our customers, healthcare providers, clients, business partners, and employees. Our board of directors actively oversees our risk management program, and cybersecurity represents an important component of our overall approach to enterprise risk management (“ERM”). In general, we seek to address cybersecurity risks through a cross-functional approach focused on preserving the confidentiality, security, and availability of the information that we collect and store by identifying, preventing and mitigating cybersecurity threats and effectively responding to cybersecurity incidents when they occur.
Risk Management and Strategy
As one of the critical elements of our overall ERM approach, our cybersecurity program is focused on the following key areas:
Governance: As discussed in more detail under the heading “Governance,” the audit committee of our board of directors supports the board of directors oversight of cybersecurity risk management, which regularly interacts with our ERM function, our Head of Information Security (“HIS”) and other members of management.
Cross-Functional Approach: We have implemented a cross-functional approach to identifying, preventing, and mitigating cybersecurity threats and incidents, while also implementing controls and procedures that provide for the prompt escalation of certain cybersecurity incidents so that decisions regarding the public disclosure and reporting of such incidents can be made by management in a timely manner.
Technical Safeguards: We deploy commercially reasonable technical safeguards that are designed to protect our information systems from cybersecurity threats, including firewalls, intrusion prevention and detection systems, anti-malware functionality and access controls, which are evaluated and improved through vulnerability assessments and cybersecurity threat intelligence.
Third-Party Risk Management: We maintain a risk-based approach to identifying and overseeing cybersecurity risks presented by third parties, including vendors, service providers and other external users of our systems, as well as the systems of third parties that could adversely impact our business in the event of a cybersecurity incident affecting those third-party systems.
Education and Awareness: We provide regular, mandatory training for personnel regarding cybersecurity threats as a means to equip our personnel with effective tools to address cybersecurity threats, and to communicate our evolving information security policies, standards, processes and practices.
We engage in the routine, periodic assessment and testing of our policies, standards, processes and practices that are designed to address cybersecurity threats and incidents. These efforts include a wide range of activities, including audits, assessments and other exercises focused on evaluating the effectiveness of our cybersecurity measures and planning. We regularly engage third parties to perform assessments on our cybersecurity measures, including information security maturity assessments,
56

audits and independent reviews of our information security control environment and operating effectiveness. The results of such assessments, audits and reviews are reported to our audit committee, and we adjust our cybersecurity policies, standards, processes, and practices as necessary based on the information provided by these assessments, audits and reviews.
Governance
Our board of directors, in coordination with our audit committee, oversees our ERM process, including the management of risks arising from cybersecurity threats. Our audit committee receives regular presentations and reports on cybersecurity risks. Our board of directors and audit committee receives and reviews prompt and timely information regarding any incident that may be considered material to investor or otherwise could materially affect core company operations.
Our HIS works collaboratively across the company to implement a program designed to protect our information systems from cybersecurity threats and to promptly respond to any cybersecurity incidents in accordance with our incident response and recovery plans. Through ongoing communications with these teams, our HIS monitors the prevention, detection, mitigation and remediation of cybersecurity threats and incidents in real time, and such threats and incidents are reported to our audit committee when appropriate.
Our HIS has served in various roles in information technology and information security for over 14 years and holds an undergraduate degree in Management Information System and a graduate degree in Human Resource Management and has attained the professional certification of Certified Chief Information Security Officer.
Risks from cybersecurity threats, including as a result of any previous cybersecurity incidents, have not materially affected, and the Company believes that such risks are not reasonably likely to materially affect the Company, including its business strategy, results of operations or financial condition.
Although we are subject to ongoing and evolving cybersecurity threats, we are not aware of any material risks from cybersecurity threats in 2023 that have materially affected or are reasonably likely to materially affect us, including our business strategy, results of operations or financial condition. For more information on our cybersecurity risks, see “Risk Factors—Risks Related to Cybersecurity, Privacy and Information Technology".