Alkermes plc. - (ALKS)
10-K Filing Date: February 21, 2024
Risk Management and Strategy
In the ordinary course of our business, we collect and store sensitive data, including intellectual property, proprietary business information of ours and that of our suppliers and partners, and personally identifiable information of persons who use our medicines, clinical trial participants and employees. Our partners and third-party providers also possess certain of our sensitive data. The secure maintenance of all such information and the secure performance of our information technology (“IT”) systems are critical to our operations and business strategy. As our dependency on, and the complexity of, our IT systems increases, the confidentiality, integrity and availability of our IT systems and the data that they store is critical to managing our business.
Our Information Security Management System (“ISMS”) is a key element of our information security program, and it is designed to identify, assess, help mitigate, and monitor information technology risks across the organization, including information security risks. The ISMS is informed by the structured principles of International Standard- ISO/IEC27001:2022 (Information security, cybersecurity, and privacy protection), which outlines guidance for the establishment, implementation, maintenance, and improvement of information security management systems. Our ISMS is comprised of processes designed to identify cybersecurity risks, safeguard information assets and preserve the confidentiality, integrity, and availability of information owned, managed and maintained by us. Our ISMS includes formal written policies and procedures, technical security controls, such as automated tools designed to detect and prevent cybersecurity incidents, and programs designed to promote internal and third-party risk management, audit management, incident response and security awareness, including employee security awareness trainings and other initiatives. Our ISMS also includes periodic security audits, vulnerability assessments and penetration testing to proactively identify potential system vulnerabilities. Our ISMS is periodically assessed by third-party assessors and the results of such assessments, including any cybersecurity risks identified and managed thereby, are reported to the audit and risk committee of our board of directors, as described below, and are used by us to improve our ISMS specifically and our information security program generally.
As part of our information security program, we also have a program in place for management of cybersecurity risks associated with third-party handling of our confidential information, including their provision of critical services on our behalf. We conduct due diligence of our third-party vendors through an assessment of their security practices and overall risk profile, including through their completion of vendor assessment questionnaires and our application of established mechanisms for ongoing monitoring of such third parties, including tools such as security ratings services and periodic reassessment questionnaires.
As of the date of this Annual Report, we have not experienced any information security incidents that have materially affected, or are reasonably likely to materially affect, our business strategy, results of operations, or financial condition, and we have not identified any current cybersecurity threats that we believe are reasonably likely to materially affect our business strategy, results of operations, or financial condition.
Governance and Oversight
We have a multi-layered information security governance framework in place to provide oversight of our information security program and strategy, our ISMS, and related risks and opportunities. This governance framework includes procedures for escalation of identified information security risks, threats or incidents through various management levels, including up to our Information Security Governing Body, which is comprised of our Chief Executive Officer, Chief Information Officer, Chief Operating Officer, Chief Financial Officer, Chief Legal Officer and other members of management, and as appropriate, up to our board of directors.
Our information security team, led by our Chief Information Officer, is responsible for developing, implementing and overseeing our Company-wide information security strategy and related policies and practices. The information security team is managed on a day-to-day basis by our Director and Executive Director of Information Security and works cross-functionally throughout the organization to assess and prepare the Company for identification and mitigation of, and if necessary response to, information security risks. Our information security team members collectively have extensive IT, IT security and cloud industry experience, as well as certifications pertaining to information security and privacy (such as such as Certified Information Systems Security Professional, Certified Information Security Manager, Certified Information Privacy Technologist, GIAC Security Essentials and GIAC Information Security Professional certifications).
Our board of directors, as a whole and through its committees, has responsibility for the oversight of risk management. The audit and risk committee of our board of directors specifically oversees critical risks and opportunities facing the Company and, in this context, reviews and provides feedback on our company-wide enterprise risk management program, which encompasses risks related to information technology and cybersecurity and mitigations put in place, or to be put in place, in response to such risks. The audit and risk committee periodically reports to the full board of directors regarding the audit and risk committee’s oversight of the Company’s enterprise risk management program and periodic risk assessment results. In addition, our board of directors receives periodic updates from our Chief Information Officer and our Executive Director of Information Security on the ISMS and other information security initiatives, and on our information security governance framework.
51