Arcus Biosciences, Inc. - (RCUS)

10-K Filing Date: February 21, 2024
Item 1C. Cybersecurity
Risk management and strategy
We have implemented and maintain a cybersecurity program that includes various processes designed to identify, assess and manage material risks from cybersecurity threats to our critical computer networks, third party hosted services, communications systems, hardware and software, and our critical data, including clinical trial and candidate data, intellectual property, and confidential information that is proprietary, strategic or competitive in nature (“Information Systems and Data”).
52

Our information security function, led by our Vice President of Information Technology (“VP of IT”), helps to identify, assess and manage the Company’s cybersecurity threats and risks. This function helps to identify and assess risks from cybersecurity threats by monitoring and evaluating our threat environment using various methods including, for example deploying automated tools in certain environments, subscribing to and analyzing reports and services that identify certain cybersecurity threats, conducting scans of certain aspects of the Company’s threat environment, evaluating certain threats that are reported to us, conducting internal and external audits and internal threat assessment of certain environments, engaging third parties to conduct threat assessments, and conducting vulnerability assessments.
We have engaged third-party providers to periodically assess certain of our internal controls and procedures for information security. We have also taken certain measures to mitigate cybersecurity risks, including, for example, cybersecurity awareness training for employees and management, periodic testing through simulated “phishing” campaigns (and require remedial training based on results) and the adoption of an incident response plan, vulnerability management policy and business recovery plan.
Furthermore, our information security function works with a security committee (the “Security Committee") to prioritize our risk management processes, mitigate cybersecurity threats that are more likely to lead to a material impact to our business and evaluate material risks from cybersecurity threats against our overall business objectives. We use third-party service providers to perform a variety of functions throughout our business, such as CROs and contract manufacturing organizations (CMOs). Under our information security function, we perform risk and security assessments for certain of our vendors that involves a review of the vendor’s written security program. Depending on the nature of the services provided, and the sensitivity of the Information Systems and Data at issue, and the identity or experience of the provider, our vendor management process may involve different levels of assessment designed to help identify cybersecurity risks associated with a provider and we may impose contractual obligations related to cybersecurity on the vendor.
For a description of the risks from cybersecurity threats that may materially affect the Company and how they may do so, please see “Risk Factors” in Part I, Item 1A herein.
Governance
Our board of directors considers cybersecurity risk management as part of its general oversight function. The board of directors’ audit committee is responsible for overseeing our cybersecurity risk management processes, including oversight and mitigation of risks from cybersecurity threats.
Our Security Committee is comprised of key management stakeholders and experts, including our General Counsel, Chief Accounting Officer and Vice President of Ethics and Compliance and is chaired by our VP of IT, who has over 20 years of experience in strategic and operational IT/cybersecurity leadership and has received multiple cybersecurity certificates including (ISC)2, Cloud Security Alliance, Cisco Security and Microsoft Security Professional. The Security Committee is responsible for helping to integrate cybersecurity risk considerations into the Company’s overall risk management strategy and communicating key priorities to relevant personnel, helping prepare for cybersecurity incidents, approving cybersecurity processes, and reviewing security assessments and other security-related reports.
The audit committee receives periodic reports from our VP of IT concerning the Company’s significant cybersecurity threats and risk and the processes the Company has implemented to address them. Under our incident response plan, certain incidents would also be reported to the board.