INSMED Inc - (INSM)

10-K Filing Date: February 22, 2024
ITEM 1C. CYBERSECURITY
We incorporate assessment of our cybersecurity initiatives into our Enterprise Risk Management program. The Enterprise Risk Management program evaluates risk areas including, but not limited to, operational risk, intellectual property theft, fraud, harm to employees, patients, or third parties, and violation of privacy or security-related laws or regulations. As part of our efforts to mitigate cyber risk, we have implemented cybersecurity processes, technologies, and controls designed to identify and manage potential material cyber risks and have obtained cyber-specific insurance coverage.
We employ a range of tools and services, including regular network and endpoint monitoring, managed detection and response, system patching, managed security services, server and endpoint scheduled backups, awareness training and testing, periodic vulnerability assessment and penetration testing, to update our ongoing risk identification and mitigation efforts. We have a cybersecurity assessment process, which helps identify our cybersecurity risks by comparing our processes to standards set by the Center for Internet Security. Our processes also assess cybersecurity risks associated with our use of third-party service providers. We proactively engage with key vendors, industry participants, and law enforcement/cyber threat intelligence communities as part of our continuing efforts to evaluate and enhance the effectiveness of our information security policies and procedures.
Our information security program is managed by a senior director who reports to the Chief Information Officer (CIO), providing routine security program updates and briefings. The current senior director has more than 25 years of experience in cybersecurity, federal law enforcement, and cyber investigations, while possessing the required subject matter expertise, skills, experience, and industry certifications expected of an individual assigned to these duties. Our information security team, which includes the CIO and senior director, as well as additional professionals, is responsible for leading enterprise-wide cybersecurity strategy, policy, standards, and processes. Our CIO provides regular updates to our Chief Executive Officer and other members of management. The Audit Committee of the Board of Directors is responsible for oversight of the Company’s cybersecurity risk exposure and the CIO provides reports to the Audit Committee, as well as the full Board of Directors, at least annually. The reports to management and our Board include updates on the Company’s cyber risks and threats, the status of projects to strengthen our information security systems, assessments of the information security program, and the emerging threat landscape.
For the year ended December 31, 2023, we are not aware of any material cybersecurity incidents.
61

Table of Contents