REPLIGEN CORP - (RGEN)
10-K Filing Date: February 22, 2024
Governance Related to Cybersecurity Risks
Our Board of Directors (“Board”) holds overall oversight responsibility for the Company’s strategy and risk management, including in relation to cybersecurity risks. Our Board exercises its oversight function through the Audit Committee, which oversees the management of risk exposure across various areas, including data security risks, in accordance with its charter. The Audit Committee receives quarterly reports from our Chief Information Officer (“CIO”) on the status of the Company’s cybersecurity program, including measures implemented to monitor and address cybersecurity risks and threats, as appropriate.
Under the leadership of our general counsel, we have constituted an enterprise risk management committee (“ERMC”) composed of senior management, including the CIO and other senior executives. The ERMC monitors and oversees risk areas that potentially could pose a high impact to the business, and cybersecurity currently is one of the ERMC’s priority focus areas. The ERMC reports on our top identified risks and steps to address those risks to the full Board on a semi-annual basis.
Our IT Infrastructure & Operations team manages the day-to-day administration of our cybersecurity program. We also work with a managed security service provider to monitor for vulnerabilities and threats, which are reported to the IT Infrastructure & Operations team and up to the CIO and other members of senior management, where appropriate. We engage employees in our cybersecurity efforts through a quarterly process for employees to complete security and awareness training as well as periodic simulated phishing campaigns. We also conduct specific training and tabletop exercises for key personnel involved in cybersecurity risk management.
Cybersecurity Risk Management and Strategy
We maintain a cybersecurity program, which is informed by industry standards, that includes processes for identification, assessment, and management of cybersecurity risks. We conduct periodic risk assessments, including with support from external vendors, to assess our cyber program, identify areas of enhancement, and develop strategies for the mitigation of cyber risks. We also conduct regular security testing and have established a vulnerability management process supported by security testing, for the treatment of identified security risks based on severity. Third-parties that access, process, collect, share, create, store, transmit or destroy our information or have access to our systems may have additional contractual controls.
Our IT Infrastructure & Operations team is informed about and monitors the prevention, detection, mitigation, and remediation of cybersecurity risks through various means, including by leveraging managed security service providers and other third-party security software and technology services. In addition, we institute processes and technologies for the monitoring of security alerts from internal parties and external resources, including from information security research sources. We also have implemented processes and technologies for network monitoring and data loss prevention procedures.
We maintain processes to inform and update management and, as needed, the Audit Committee, about security incidents that may pose a significant risk for the business, as applicable. Although risks from cybersecurity threats have to date not materially affected us, our business strategy, results of operations or financial condition, we have, from time to time, experienced threats and security incidents relating to our and our third party vendors’ information systems. See Item 1A, ”Risk Factors,” to this report for more information.
34