Guardant Health, Inc. - (GH)

10-K Filing Date: February 22, 2024
Item 1C. Cybersecurity
Risk Management and Strategy
The security of our sensitive business-related information and the personal information we collect, as well as our information systems, is important for our business. In the normal course of business, we may collect and store personal information and other sensitive information, including proprietary and confidential business information, trade secrets, intellectual property, information regarding study participants in connection with clinical studies, sensitive third-party information and employee information. To protect this information, we have implemented a cybersecurity program, and have established oversight mechanisms designed to provide effective cybersecurity governance, risk management, and timely incident response. Our cybersecurity risk management is based on recognized cybersecurity industry frameworks and standards including NIST-CSF, ISO 27001/27002 as well as HIPAA.
Our cybersecurity policies require that we implement and maintain monitoring and detection programs, network security precautions, encryption of critical data, and management of third-party risk. We maintain various protections designed to safeguard against cyberattacks, including but not limited to attack surface management, anti-phishing secure email gateways, centralized log monitoring and analysis, cloud security posture management, endpoint detection and response, and network intrusion detection and prevention systems. We also have processes in place to prevent unauthorized access to data processing systems and facilities, including two-factor authentication, tiered approval processes and password complexity, and our employees undergo mandatory privacy and security trainings annually. We have established and periodically test our disaster recovery plan and we protect against business interruption by backing up our major systems. In addition, we periodically scan our environment for any vulnerabilities, perform penetration testing and engage third parties to assess effectiveness of our data security practices and compliance with applicable practices and standards. In addition, we maintain a third-party risk register to identify, prioritize and track risks, including those associated with our use of third-party service providers. We also maintain cybersecurity insurance coverage.
Governance
Our cybersecurity program is led by a team of cybersecurity professionals. The program incorporates industry-standard frameworks, policies and practices designed to protect the privacy and security of our sensitive information. Senior members of our management, including our Head of Information Security and Chief Information Officer, each of whom has over 10 years of experience in various roles involving information technology, including security, auditing, compliance, systems and programming, are responsible for assessing cybersecurity risk. Risk management is performed by the senior leadership of the cybersecurity team as well as members of our legal and privacy teams where relevant. These individuals are informed about, and monitor the prevention, mitigation, detection and remediation of cybersecurity incidents through their management of, and participation in, the cybersecurity risk management processes described above, including the operation of our incident response plan. Additionally, our threat intelligence software issues a quarterly report briefing to inform the security team about relevant cybersecurity events, significant vulnerabilities and vendor-related incidents.
Our Head of Information Security reports to the full Board of Directors and the Nominating and Corporate Governance Committee on two occasions per year on information security and cybersecurity matters, or more frequently as needed. These reports generally cover various topics, which may include summaries of recent industry events or notable topics that may influence our cybersecurity risk perspective and security priorities; any actions taken in response to such events or topics; and a review of our top cybersecurity concerns and priorities. Our Nominating and Corporate Governance Committee has oversight responsibility for our data security practices and we believe the committee has the requisite skills and visibility into the design and operation of our data security practices to fulfill this responsibility effectively.
Despite the implementation of our cybersecurity program, our security measures cannot guarantee that a significant cyberattack will not occur. A successful attack on our information technology systems could have significant consequences to the business. As of the date of this Annual Report on Form 10-K, we are not aware of any material cybersecurity incidents or threats that have impacted our business. However, we and our customers routinely face risks of cybersecurity incidents, wholly or partially beyond our control, as we rely heavily on our information technology systems. While we devote resources to our security measures to protect our systems and information, these measures cannot provide absolute security. See Part I, Item 1A. “Risk Factors” of this Annual Report on Form
76

10-K for additional information about the risks to our business associated with a breach or compromise to our information technology systems.