Amylyx Pharmaceuticals, Inc. - (AMLX)
10-K Filing Date: February 22, 2024
Risk Management and Strategy
We recognize that cybersecurity threats have been increasing in number and severity in the general marketplace and in our industry. In an effort to address these threats, we maintain a cybersecurity risk management strategy that is designed to identify, assess, and manage cybersecurity risks to our business. Our cybersecurity risk management strategy includes various policies and components, including cybersecurity assessments, an incident response plan, evaluation of the security practices of our key vendors, and cybersecurity awareness training for our staff. We also leverage third-party technology and security tools and solutions, including alerting and monitoring tools, to support our cybersecurity program.
We engage a third-party to conduct a cybersecurity risk assessment on an annual basis, which is informed by the National Institute of Standards and Technology (NIST) Cybersecurity Framework. We have established a process for our IT security team to track and quantify known IT security risks and our remediation efforts through a cybersecurity risk register. The IT security team meets periodically to review and update the cybersecurity risk register based on feedback across the organization and the findings contained in our NIST-informed annual cybersecurity risk assessment. The IT security team reports on findings on at least an annual basis to the executive leadership team and the board of directors.
We have established a process to review and assess major software vendors’ security practices prior to onboarding, which includes review of the vendors’ responses to cybersecurity questionnaires and security audit reports and certifications, as applicable. Our process also includes contractual requirements for major vendors that process data on our behalf to maintain data protection safeguards.
We maintain a security awareness training program for employees, which is provided during onboarding. We also provide additional mandatory trainings, including phishing training, throughout the year.
We face a number of cybersecurity risks in connection with our business. Although such risks have not materially affected, and we do not believe they are reasonably likely to materially affect, our business strategy, results of operations or financial condition, to date, we have, from time to time, experienced threats to and security incidents related to our and our third-party vendors’ information systems. For more information about the cybersecurity risks we face, see the risk factor entitled “Cyber-attacks or other failures in our telecommunications or IT systems, or those of our collaborators, CROs, third-party logistics providers, distributors or other contractors or consultants, could result in information theft, data corruption and significant disruption of our business operations” in Item 1A- Risk Factors.
Governance of Cybersecurity Risks
Our board of directors is responsible for the general oversight of cybersecurity risks and is informed of key updates to our cybersecurity processes by our audit committee and relevant members of our executive leadership team on at least an annual basis.
Our audit committee and members of our executive leadership team meet with our Head of Global Information Technology on a quarterly basis, along with other members of our IT security team from time to time, to discuss cybersecurity matters, such as the emerging cybersecurity threat landscape, significant developments to our cybersecurity processes, and our cybersecurity risk assessments.
Our IT security team, led by the Head of Global Information Security, Governance and Architecture (“Head of Global ISGA”), is responsible for managing and directing the day-to-day information security strategy of the organization, including oversight of our cybersecurity tools, controls and strategies to protect organization assets, networks and data. The Head of Global ISGA reports to our Head of Global Information Technology. The Head of Global ISGA routinely reports on cybersecurity risks, projects, and initiatives to the Head of Global Information Technology, who regularly reports to executive management and the audit committee on these matters as described above.
The Head of Global ISGA maintains a Certified Information Systems Security Professionals, or CISSP, certification and has approximately two decades of IT security management experience. The IT security team is supported by external
113
vendors that provide managed services for network support, security operations and other IT areas as needed. Our IT security team also meets regularly with our Global Privacy Committee, which oversees our Enterprise Data Protection Program, to coordinate on cybersecurity initiatives and strategy related to protection of personal data.