Intra-Cellular Therapies, Inc. - (ITCI)

10-K Filing Date: February 22, 2024
Item 1C.

Cybersecurity Risk Management Strategy and Approach
Our cybersecurity policies, standards, practices and risk management strategy are based on recognized frameworks established by the National Institute of Standards and Technology (NIST) and other applicable industry standards. We currently utilize the NIST Cybersecurity Framework (CSF) to define and build master controls and processes. The NIST CSF presents leading practices and addresses many aspects of cybersecurity risk management. The CSF defines a comprehensive set of cyber security controls to manage risk and also defines an approach for the identification and remediation of risks to ensure our assets are hardened to resist potential attacks. Our assets are continually scanned for vulnerabilities and remediation measures are put in place to remediate them. We utilize the processes and procedures defined in the NIST Computer Security Incident Handling Guide to manage, contain, eradicate and recover from and improve our defenses, detection and remediation processes to help prevent future incidents. Additionally, we have implemented a governance model to oversee the creation and execution of our Cybersecurity Strategy embodied in our policies, standards, practices, incident response plans, risk management actions and improvement roadmap.
To identify and assess material risks from cybersecurity threats, we maintain a comprehensive cybersecurity program to ensure our systems are effective and prepared for information security risks, including regular oversight of our programs for security monitoring for internal and external threats to ensure the confidentiality and integrity of our information assets. We consider risks from cybersecurity threats alongside other company risks as part of our overall risk assessment process.
We use specific control measures and processes developed from the NIST CSF that may be technical, procedural, or human in nature and that are designed to protect availability, integrity and confidentiality of critical data and systems, maintain regulatory compliance, assess, identify and manage our material risks from cybersecurity threats, and protect against and respond to cybersecurity incidents. These controls and processes are reviewed periodically for effectiveness in light of the ever-changing threat environment as part of our active cybersecurity risk management process. That review includes an external assessment of control coverage and effectiveness. We undertake the following activities:
monitor emerging data protection laws and implement changes to our processes that are designed to comply with such laws;
through our policies, practices and contracts (as applicable), require employees, as well as third parties that provide services on our behalf, to treat confidential information and data with care;
56

Table of Contents
employ technical safeguards that are designed to protect our information systems from cybersecurity threats, including hardening all devices to reduce attack surface as well as implement the following: encryption of data in flight and at risk, firewalls, managed detection and response systems, endpoint detection and response including anti-malware functionality and access controls including centralized entitlement and authentication management;
provide regular, mandatory training for our employees and contractors regarding cybersecurity threats as a means to equip them with effective tools to identify and address cybersecurity threats, and to communicate our evolving information security policies, standards, processes and practices;
conduct regular phishing email simulations for all employees and contractors with access to our email systems to enhance awareness and responsiveness to possible threats;
conduct cybersecurity management and incident training for employees involved in our systems and processes that handle sensitive data;
run tabletop exercises to simulate a response to a cybersecurity incident and use the findings to improve our processes and technologies;
leverage the NIST incident handling framework to help us identify, protect, detect, respond, recover, and improve our process, actions and systems when there is an actual or potential cybersecurity incident;
conduct regular vulnerability scans of our environment as a detective control to identify vulnerabilities arising out of improper configurations or unpatched software and systems;
manage physical access to our facilities using integrated card swipe technology; and
authorize and control logical system access to our critical systems utilizing Single Sign on and Multi Factor Authentication.
As part of our risk management processes, we periodically perform risk assessments across internal and third-party providers that proactively identify top cybersecurity risks and proactively manage those risks by remediating control limitations and vulnerabilities. These are prioritized for remediation using a risk impact analysis and will be mitigated in one of two ways. The first remediation approach is using cybersecurity roadmaps of actions that are part of our Information Security Management Program (ISMP). The second remediation approach is triggered if significant vulnerabilities are identified, or new threats emerge and these risks are remediated immediately. We regularly engage with consultants, auditors and other third parties to assist with assessments and remediation, including having a third-party independent qualified expert assessor review our cybersecurity program to help identify areas for continued focus, improvement and compliance. We actively engage with industry groups for peer benchmarking purposes and to stay current on best practices.
We employ a range of tools and services to test our controls and program effectiveness, including external evaluations, annual penetration tests, ongoing vulnerability scanning, regular network and endpoint monitoring, audits, threat modeling, tabletop exercises, and engaging experts to attempt to infiltrate our information systems. The ISMP documents our approach to risk governance and the totality of our defense and response capabilities as well as the in year and out year improvement roadmaps. Any risks that cannot be remediated are examined to ensure insurance and other risk transfer mechanisms can be leveraged to remediate those risks.
Our processes also address cybersecurity risks associated with our use of third-party service providers, including our clinical research organizations, suppliers and manufacturers or those who have access to data or our systems. In addition, cybersecurity considerations affect the selection and oversight of our third-party service providers that process controlled and/or classified data as part of our procurement process. Additionally, we generally require those third parties that could introduce significant cybersecurity risk to us to agree by contract to manage their cybersecurity risks in specified ways, and to agree to be subject to cybersecurity audits, which we conduct as appropriate.
57

Table of Contents
The Company maintains a Security Awareness and Training Program that includes training to reinforce the Company’s Cybersecurity policies, standards, and practices which engages personnel with training on how to identify potential cybersecurity risks, protect company resources and information, phishing and other tests. Those users who fail the tests are required to take remedial training. Training is mandatory for all employees and contingent workers who have access to our electronic systems. Finally, our Privacy Program requires all employees to take periodic awareness training on data privacy.
We have experienced continual attempts by cyber criminals to gain access to our systems for the purposes of monetary gain. To the best of our knowledge, in the last three years, we have not experienced any material cybersecurity incidents and no events have resulted in a threat actor being able to take control of any of our data or information technology assets.
To efficiently and effectively plan for and manage cybersecurity incidents and privacy events, we have developed Incident Response Policy, Procedures and Play Books that memorialize appropriate actions and procedures as well as template communications for various incident types and severity. Our Incident Response Policy, Procedures and Play Books coordinate the activities we take to prepare for, detect, respond to, and recover and improve following cybersecurity incidents, which include processes to identify, investigate, triage, assess severity for, escalate, contain, and remediate the incident, as well as to comply with potentially applicable legal obligations and mitigate damage to our business and reputation.
Cybersecurity Governance and Management
Cybersecurity is an important part of our risk management processes and an area of focus for our board of directors and management. In general, our board of directors oversees risk management activities designed and implemented by our management, and considers specific risks, including, for example, risks associated with our strategic plan, business operations, and capital structure. Our board of directors executes its oversight responsibility for risk management both directly and through delegating oversight of certain of these risks to its committees, and our board of directors has authorized our audit committee to oversee risks from cybersecurity threats.
At least semi-annually, our board of directors receives an update from management of our cybersecurity threat risk management and strategy processes covering topics such as data security posture, results from third-party assessments, progress towards pre-determined risk-mitigation-related goals, our incident response plan, and material cybersecurity threat risks or incidents and developments, as well as the steps management has taken to respond to such risks. In such sessions, our board of directors generally receives materials discussing current and emerging material cybersecurity threat risks, and describing our ability to mitigate those risks, as well as recent developments, evolving standards, technological developments and information security considerations arising with respect to our peers and third parties, and discusses such matters with our Chief Information Officer. Our audit committee also will receive prompt and timely information regarding any cybersecurity incident that meets establishing reporting thresholds, as well as ongoing updates regarding any such incident until it has been addressed.
Members of our board of directors are also encouraged to regularly engage in conversations with management on cybersecurity-related news events and discuss any updates to our cybersecurity risk management and strategy programs. Material cybersecurity threat risks are also considered during separate board meeting discussions of important matters like enterprise risk management, operational budgeting, business continuity planning, mergers and acquisitions, brand management, and other relevant matters.
We also have a cybersecurity steering committee responsible for assisting with our overall day-to-day cybersecurity responsibilities and implementing our cybersecurity programs. The members of our cybersecurity steering committee include a cross-functional team and is chaired by our Chief Information Officer.
Our cybersecurity risk management and strategy processes, which are discussed in greater detail above, are led by a team of senior level management, including our President, Chief Executive Officer and Chairman of the Board, Senior Vice President of Finance and Chief Financial Officer, Executive Vice President, General Counsel and Secretary, and Chief Information Officer. Such individuals collectively have significant prior work experience in various roles involving managing information security, developing cybersecurity strategy, implementing effective information and cybersecurity programs, as well as several relevant degrees and certifications.
58

Table of Contents
A qualified individual with over 35 years of cyber, IT security and risk management experience who holds both a Certified Information Security Professional (CISSP) and Certified Cloud Security Professional (CCSP) accreditations has been engaged to advise the CIO and build out our Cybersecurity Governance Model and the ISMP.
These management team members are informed about and monitor the prevention, mitigation, detection, and remediation of cybersecurity incidents through their management of, and participation in, the cybersecurity risk management and strategy processes described above, including the operation of our Incident Response Policy, Procedures and Play Books. As discussed above, these management team members report to the audit committee of our board of directors about cybersecurity risks, among other cybersecurity related matters, on a semiannual basis.