DYNAVAX TECHNOLOGIES CORP - (DVAX)

10-K Filing Date: February 22, 2024
ITEM 1C. CYBERSECURITY

Risk Management and Strategy

 

We have implemented and maintain various information security processes designed to identify, assess and manage material risks from cybersecurity threats to our critical computer networks, third party hosted services, communications systems, hardware and software, and our critical data, including intellectual property, confidential information that is proprietary, strategic or competitive in nature, along with personal data and other sensitive information, including our trade secrets, data we may collect about trial participants in connection with clinical trials, and other sensitive data (“Information Systems and Data”).

 

Our Senior Director of IT Infrastructure & Security also functions as our information security officer (“ISO”). The ISO (as part of our security function), along with our broader internal cybersecurity, IT infrastructure, and digital technology automation functions, as well as third-party service providers, all help identify, assess and manage our cybersecurity threats and risks. Our security function identifies and assesses risks from cybersecurity threats by monitoring and evaluating our threat environment using various methods including, for example, manual tools, automated tools, subscribing to reports and services that identify cybersecurity threats, analyzing reports of threats and actors, conducting scans of the threat environment, evaluating our and our industry’s risk profile, evaluating threats reported to us, coordinating with law enforcement concerning threats, responding to proactive outreach from CISA and FBI, internal and/or external audits, conducting threat assessments for internal and external threats, third-party threat assessments, conducting vulnerability assessments to identify vulnerabilities, and use of external intelligence feeds.

 

Depending on the environment, we implement and maintain various technical, physical, and organizational measures, processes, standards and policies designed to help manage and mitigate material risks from cybersecurity threats to our Information Systems and Data, including, for example: a corporate security incident response plan, a vulnerability management policy, incident detection and response processes, IT systems disaster recovery procedures, risk assessments, reasonable implementation of security controls in accordance with applicable security standards/certifications, encryption of data, network security controls, data segregation, access controls, physical security, asset management, tracking and disposal, systems monitoring, employee training, penetration testing, cybersecurity insurance, dedicated cybersecurity staff/officer. We also rely on third-party vendor backup/restore, disaster recovery and business continuity procedures as stated in the respective SOC 1 and SOC 2 reports if provided by such vendors as they pertain to certain of our managed services.

 

Our procedures for assessment and management of material risks from cybersecurity threats are integrated into our overall risk management processes. For example, (1) cybersecurity risk is evaluated as a component of our broader enterprise risk management program, identified in our risk register and monitored and managed more specifically by our Corporate Security Incident Response Team (CSIRT); (2) the security function works with the CSIRT to help prioritize our risk management processes and help mitigate cybersecurity threats that we believe are more likely to lead to a possible material impact to our business; (3) our ISO evaluates material risks identified from cybersecurity threats against our overall business objectives and reports to the audit committee of the board of directors (the "Audit Committee"), which reviews and discusses with senior management our overall risk assessment and management.

 

We use third-party managed service providers to assist us in identifying, assessing, mitigating and managing potential risks from cybersecurity threats. In addition, we engage other advisors from time to time to help identify, assess, mitigate and manage new or developing risks in a changing threat landscape. Such ongoing services and periodic services include professional services from providers such as legal counsel, threat intelligence service providers, cybersecurity consultants, cybersecurity software providers, managed cybersecurity service providers, penetration testing firms, dark web monitoring services, and forensic investigators (as needed).

 

We use third-party service providers to perform a variety of functions throughout our business, such as application service providers, software-as-a-service providers, hosting companies, contract research organizations, contract manufacturing organizations, distributors, and other supply chain resources. We have a vendor management process to help manage cybersecurity risks associated with our use of these providers. This includes risk assessment for each vendor, review of security assessments, supplemental security questionnaires (as needed), security assessment calls with the vendor's security personnel, and imposition of certain information contractual obligations on the vendor. In addition, depending on the nature of the services provided, the sensitivity of the Information Systems and Data at issue, and the identity of the provider, our vendor management process may involve different levels of assessment designed to help identify cybersecurity risks associated with a provider and impose contractual obligations related to cybersecurity on the provider.

 

56


 

For a description of the risks from cybersecurity threats that may materially affect us and how they may do so, see our risk factors under Part 1. Item 1A. Risk Factors in this Annual Report on Form 10-K, including “If our information technology systems or those of third parties upon which we rely, or our data are or were compromised, we could experience adverse consequences resulting from such compromise, including but not limited to regulatory investigations or actions; litigation; fines and penalties; disruptions of our business operations; reputational harm; loss of revenue or profits; and other adverse consequences.

 

Governance

 

Our board of directors addresses our cybersecurity risk management as part of its general oversight function. The Audit Committee is responsible for reviewing and discussing with management our cybersecurity risk assessment and management processes, including our oversight and the steps we take to monitor and help control risks from cybersecurity threats.

 

Our cybersecurity risk assessment and management processes are implemented and maintained by certain of our management, including our ISO, who has over 20 years of experience in information security. Our ISO oversees a global team of information security professionals consisting of multiple full time equivalent employees in multiple countries.

 

 

Our ISO is responsible for hiring appropriate personnel, helping to integrate cybersecurity risk considerations into our overall risk management strategy, and communicating key priorities to relevant personnel. Our ISO (in coordination with our CSIRT) is also responsible for other functions, including preparing for cybersecurity incidents, approving cybersecurity processes, and reviewing security assessments and other security-related reports. Our CSIRT reviews, approves and prioritizes information security and cybersecurity policies, projects and initiatives. Executive management is responsible for prioritizing initiatives and approving budgets to allocate funding for the foregoing based on feedback from the ISO, the CSIRT and the Audit Committee.

 

Our cybersecurity incident response processes are designed to escalate certain cybersecurity incidents to members of management depending on the circumstances, including our ISO. The ISO works with our CSIRT to help us mitigate and remediate cybersecurity threats or incidents of which they are notified. The ISO is responsible for designing and promoting general security awareness and training, as well as defining and training relevant participants on our incident response processes. Our security and incident response processes include escalation and reporting to the CSIRT, Disclosure Committee, senior management and Audit Committee for certain information security incidents, as warranted under the circumstances.

 

The Audit Committee receives periodic reports from the ISO concerning our significant cybersecurity threats and risk, and the processes we have implemented to address them. The Audit Committee also has access to various reports, summaries of reports or presentations related to cybersecurity threats, risk and mitigation.