Moderna, Inc. - (MRNA)

10-K Filing Date: February 23, 2024
Item 1C. Cybersecurity
Cyber Risk Management and Strategy

Our cybersecurity organization’s mission is to provide a targeted set of services, support and capabilities to reduce the risk of cyberattacks, rapidly detect and contain threats, and mitigate risks to critical data.

Recognizing the threat of security breaches and cyberattacks globally, we have developed a cybersecurity program, overseen by our Chief Information Security Officer (CISO) and Chief Information Officer (CIO), that is designed to protect patient trust, defend the Moderna brand, and reduce the risk and impact of cyber-attacks. Our cybersecurity program is informed by industry standards and includes periodic risk assessments and security testing supported by cybersecurity technologies, including third-party security solutions, vulnerability management, and monitoring tools, designed to monitor, identify, and manage risks from cyber threats. In addition, we have implemented employee security and awareness training.

79


Management has established a cyber incident response plan (CIRP) designed to assess, identify and manage risks from cybersecurity threats and enable prompt response in the event that a cybersecurity incident is detected. We have a process in place for notification to our leadership response team in the event of a significant cyber incident, and for escalation of these events to our Audit Committee and Board, as appropriate. To date, we have not experienced a cybersecurity incident that has had a material impact on our business strategy, results of operations, or financial condition.

We undergo several annual internal compliance audits and external reviews to evaluate our controls, including cybersecurity controls. In an effort to minimize third-party risk, we have established a process to assess the security practices of third-party suppliers and related risks, including through review of relevant supplier certifications and security and responses to standardized information gathering (SIG) questionnaires, as applicable and appropriate.

Governance Related to Cybersecurity Risks

Our Board of Directors oversees Moderna’s overall risk management strategy. The Board exercises oversight of risks from cybersecurity threats primarily through its Audit Committee, which oversees our risk management processes for information security and technology risks. Our cybersecurity risk management processes are integrated into our overall risk management strategy, which is overseen by the Audit Committee. At least annually, the Audit Committee discusses our risk management program, including information security and technology risks and findings from any audits, with our internal audit staff.

The Audit Committee receives cyber-related updates from management, including our CISO at committee meetings. During meetings, our CISO updates the committee on Moderna’s cybersecurity posture, potential threats and risk mitigation strategies, and the progress of the Company’s cybersecurity initiatives, as appropriate. The Chair of the Audit Committee and management provide regular briefings on such matters to the full Board of Directors, as appropriate.

At the management level, our CISO is primarily responsible for leading our cybersecurity strategy for assessing and managing material risks from cybersecurity threats. Our current CISO has over 25 years of cybersecurity experience across a wide array of industries, most recently serving in leadership positions at two different public companies and previous roles of increasing responsibility at multinational technology companies. Our CISO reports directly to our CIO, who is a member of our Executive Committee and reports to our Chief Executive Officer.

We have built a cybersecurity leadership team designed to align with key services, with a separate lead overseeing each service offering, all reporting to the CISO. We also maintain relationships with law enforcement and industry groups to support our cybersecurity intelligence and risk management efforts.