EXACT SCIENCES CORP - (EXAS)
10-K Filing Date: February 21, 2024
Item 1C. Cybersecurity
Governance
Our Board of Directors administers its cybersecurity risk oversight function directly through our Audit and Finance Committee (“AFC”). Our AFC has primary responsibility for overseeing our risk management practices, programs, policies, and procedures related to data privacy, data protection, and cybersecurity. The AFC reviews and evaluates the processes utilized by management to identify and assess the material internal and external risks that may affect the Company's business. Our AFC regularly discusses with management, Company legal counsel, and the internal audit department the Company's major risk exposures. This includes potential financial impact on the Company and the steps taken to monitor and control those risks. Reviews with management are done annually which includes a summary of legal and regulatory compliance matters and risk management activities, including a review of the Company's cybersecurity program. Additionally, our AFC oversees the process by which our Board of Directors is informed regarding the risks facing the Company and coordinates with the Company's legal counsel to ensure our Board of Directors receives regular risk assessment updates from management.
The Chief Information Security Officer (“CISO”) is responsible for identifying, assessing and managing the Company’s risks from cybersecurity threats. The CISO has been with the Company for two years and has over 30 years of experience in technology, including 15 years in cybersecurity, and has held the CISO position at prior companies before joining Exact Sciences. The CISO is supported by a cybersecurity team that is staffed with experts in strategy, governance, risk management, compliance, engineering and development, security operations, and incident management.
The CISO provides our AFC with quarterly updates about our cybersecurity program and material risks. This includes updates on cybersecurity practices, programs, and the status of projects designed to strengthen internal cybersecurity and data protection.
Risk Management and Strategy
Processes for identifying and assessing cybersecurity risks
The CISO, with the support of the cybersecurity team and the owners of information technology across the business, monitors current events and trends related to cybersecurity and assesses any potential impact on current systems and operations. There are several processes in place to monitor and review our systems, including third-party solutions, to identify potential risks. Third-party service providers are required to notify us in the event of a cybersecurity incident within their systems, and annual reviews are conducted on the Company’s critical third-party vendors. Cybersecurity risks, threats, and incidents, including those from third-party service providers, are tracked and regularly provided to the CISO. Beginning in 2024, the Cybersecurity Leadership Team, which includes the CISO and executives from all business functions across the organization, meet at least quarterly to review and discuss cybersecurity risks facing the Company.
Processes for managing cybersecurity risks
The cybersecurity team tracks risks and incidents related to cybersecurity until the risk is mitigated to an acceptable level or fully remediated. When risks are identified, the cybersecurity team oversees mitigation plans with the risk owner which are communicated to necessary teams and remediation steps are taken.
Processes for incorporating cybersecurity risks into the overall risk management process
Our process for identifying, assessing, and managing risks related to cybersecurity is incorporated into our Enterprise Risk Management (“ERM”) process. The Risk Management team meets at least annually with cybersecurity leadership to discuss cybersecurity related risks identified and the potential likelihood and severity of each risk. Through the ERM process, cybersecurity risks are presented to the executive leadership team, including the CEO and CFO, as well as reported to the AFC.
Currently, we are not aware of any risks from cybersecurity threats, or from previous cybersecurity incidents, that have materially affected or are reasonably likely to materially affect the Company.
47