Cyber Risk Management and Strategy

Kymera uses, stores and processes data for and about our research programs, clinical trials, employees, and suppliers. We have developed and maintain an information security program designed to assess, identify, and manage risks from cybersecurity threats, including to our data and systems. We conduct periodic assessments of our assets, including internal and external security testing, as part of our risk management process and to evaluate the effectiveness of applicable security controls. These assessments are informed by industry standards. Our cybersecurity risk management process is a part of our overall risk management program. We also have an employee education program that includes training designed to raise awareness of cybersecurity threats. We have adopted an Incident Response Policy that outlines the legal and governance process for identifying and managing material cyber risks to our information and information systems and our framework for assessing and responding to cyber incidents, as applicable.

Governance Related to Cybersecurity Risks

Under the ultimate direction of the Chief Executive Officer and our executive management team, the Cybersecurity Supervisory Committee (CSSC) has primary responsibility for overseeing our management of cybersecurity risks, which includes representatives from finance, legal, operations, human resources, and information technology. The CSSC meets as circumstances warrant to review and update incident response procedures and to provide oversight of incident response activities of the Cyber Security Incident Response Team.

The head of information technology and the CSSC have primary responsibility for assessing and managing our cybersecurity program. The head of information technology, who reports to the Chief Operating Officer, has more than 25 years of experience in building and leading information technology and security teams.

The board of directors has ultimate oversight of our risk management program and has delegated oversight of that program, including, oversight of cybersecurity, to the audit committee of the board of directors. The S.V.P. of Information Technology presents to the audit committee periodically regarding cybersecurity matters. The Chief Financial Officer and the Chief Legal Officer are responsible for informing the audit committee in the event of any material cybersecurity incidents and any potential disclosure obligations arising from such incidents.