HALOZYME THERAPEUTICS, INC. - (HALO)

10-K Filing Date: February 20, 2024
Item 1C. Cybersecurity
Our information technology systems (“IT Systems”) play a central role in running nearly all aspects of our business operations. Our IT Systems are used for a variety of critical business functions including, but not limited to, internal and external communications, managing our documents and records, supporting functional and enterprise business processes and providing shared work environments across various business functions. Therefore, responding efficiently and effectively to cybersecurity incidents and threats is an important component of our enterprise risk management strategy. In order to respond to such incidents and threats, we have implemented a carefully designed Incident Response Plan (“IRP”).
Cybersecurity Risk Management and Strategy
The IRP provides our management and information technology personnel with processes and procedures for assessing, identifying, managing and escalating material risks from cybersecurity threats which have been integrated into our overall risk management processes. For example, our enterprise risk management processes involve the identification of events that may arise in the course of operating our business and the potential impact of such events on our business. We have identified and prioritized cybersecurity events as requiring increased managerial focus and urgency in actions taken to mitigate cybersecurity risks due to the potential impact such events could have on our business. Although the risks from cybersecurity threats have not materially affected our business strategy, results of operations or financial condition, it is possible that a cybersecurity incident resulting in a serious compromise of our IT Systems or a demand for payment to restore our IT Systems, could have a material adverse effect on us by negatively impacting our ability to operate our business effectively and by diverting the attention of our management and other resources, including financial resources, to address the cybersecurity incident. Despite our efforts to mitigate the risks associated with cybersecurity threats, we cannot eliminate all such risks or provide assurance that we have not experienced undetected cybersecurity incidents. For additional information about these risks, see Part I, Item 1A, “Risk Factors” in this Annual Report on Form 10-K.
In connection with our processes for assessing, identifying and managing risk from cybersecurity, we engage various third parties to assist in managing these processes including:
Outside cybersecurity legal counsel to assist in updating our IRP and for consultation and coordination with other third parties in the event of a cyber incident;
Cybersecurity vendors that would perform various investigation services in the event of a cyber incident including assisting in determining the type of attack and impact to our information technology network, maintaining cybersecurity vigilance and assisting with the recovery and restoration of any impacted IT System services;
Cybersecurity experts who would, in the event of a cybersecurity incident, assist with validation of the incident; and
Vendors that would provide breach response services such as communications, notification to third parties and credit monitoring.
In addition to our IRP, we have also implemented processes to oversee and identify risks from cybersecurity threats associated with our use of third-party service providers. For example, where appropriate, we seek to negotiate contractual terms with certain third-party service providers that impose obligations on such service providers with the goal of protecting our confidential information.
Cybersecurity Governance
Our Incident Response Team has the primary responsibility of assessing and managing risks from cybersecurity threats and implementing the various stages of our IRP set forth above. The Incident Response Team is comprised of the following IT Systems management personnel and members of senior management:
Chief Information Officer (“CIO”) – Our CIO has over forty years of information technology experience across a wide range of industry sectors including insurance, financial and life sciences and forty years in life science research and development information security. For the past four years, our CIO has had oversight of our cybersecurity strategy and building out our cybersecurity capabilities and infrastructure in response to the growing threat from potential cyber security incidents on our IT Systems. Our CIO has also led the initiative to integrate our cybersecurity management
42


into our overall enterprise risk management strategy. Our CIO has an NACD CERT certificate in cybersecurity oversight;
Associate Director, Information Technology (“IT Security Director”) – Our IT Security Director has approximately twenty years of relevant information technology experience including at least fifteen years of hands-on experience working in various cybersecurity domains, including asset and network security and architecture, identity access management, disaster recovery and business continuity. Our IT Security Director’s responsibilities include serving as the lead for cybersecurity under the direction of the CIO and maturing our cybersecurity program across all cybersecurity domains, including security and risk management. Our IT Security Director is a Certified Information Systems Security Professional and has an NACD CERT certificate in cybersecurity oversight;
Senior Vice President, Chief Legal Officer – Our Chief Legal Officer oversees our enterprise risk management strategy and serves as the executive management representative on our Incident Response Team; and
Vice President, Business Continuity & Sustainable Operations (“VP Business Continuity”) – Our VP Business Continuity has responsibility for overseeing our Business Continuity Plan which incorporates our IRP. Our VP Business Continuity has over 15 years leading the business continuity programs for various companies and has training on ISO 22301 (the Business Continuity ISO Standard).
Under its committee charter, the Audit Committee of the Board of Directors (the “Audit Committee”) is responsible for discussing with senior management our policies with respect to risk assessment and risk management and for discussing with management our financial risk exposures and the steps management has taken to monitor and control such exposures. In particular, the Audit Committee oversees our cybersecurity strategy designed to identify, assess and mitigate cybersecurity risks, and reviews our cybersecurity and other information technology risks, controls and procedures, and receives periodic updates from management on cybersecurity regarding the adequacy and effectiveness of our cybersecurity measures. In fulfilling this oversight responsibility, the Audit Committee receives a periodic update of our cybersecurity strategy. Included in this review is a thorough discussion of the risks from cybersecurity threats including the potential impact of such threats to our operations. Specifically, with respect to cybersecurity risks, Incident Response Team members report to the Audit Committee on the (i) potential impact of the risk to the business, (ii) our current capabilities in managing such risks, (iii) the urgency for action in managing such risks and (iv) the outlook for a potential impact on us as a result of the risk. The Audit Committee also receives reports from members of the Incident Response Team on our mitigation efforts to address cybersecurity risks.
We have also instituted a separate process for communicating with the Audit Committee regarding any risks from an actual cybersecurity threat in the event we are the target of a specific cybersecurity incident. As part of our response to such an incident, members of the Incident Response Team would provide an initial awareness communication of the incident to our Chief Executive Officer who would in turn inform the Chairman of our Board of Directors (“Board Chair”) and the Chair of the Audit Committee (“Audit Committee Chair”). Following an initial assessment of the incident by senior management and IT Systems personnel, we would provide a follow-up communication to the Board Chair and Audit Committee Chair and determine whether further escalation to the full Board of Directors is warranted.
43