Travere Therapeutics, Inc. - (TVTX)
10-K Filing Date: February 20, 2024
ITEM 1C. CYBERSECURITY
Risk Management and Strategy
We have implemented and maintain various information security processes designed to identify, assess and manage material risks from cybersecurity threats to our critical computer networks, third party hosted services, communications systems, hardware and software, and our critical data, including intellectual property, confidential information that is proprietary, strategic or competitive in nature, and data related to patients and clinical trials (“Information Systems and Data”).
Various members of our management team, IT department and other employees, including but not limited to the individuals on our cybersecurity incident management team, help identify, assess and manage our cybersecurity threats and risks. We manage, identify and assess risks from cybersecurity threats by monitoring and evaluating our threat environment and risk profile using various methods including, for example: through the use of automated tools, including but not limited to tools for monitoring, geolocation, remote wiping, threat detection, intrusion detection and prevention (including through the use of machine learning, a form of artificial intelligence), patch management, distributed denial of service (DDoS) protection and forensics; conducting (directly or through third parties) regular audits and threat assessments for internal and external threats; subscribing to reports and services that identify cybersecurity threats; analyzing reports of threats and actors; conducting vulnerability assessments to identify vulnerabilities; evaluating our and our industry’s risk profile; conducting tabletop incident response exercises; and evaluating threats reported to us.
Depending on the environment, we implement and maintain various technical, physical, and organizational measures, processes, standards and policies designed to manage and mitigate material risks from cybersecurity threats to our Information Systems and Data, including, for example: incident response plans and procedures, disaster recovery/business continuity plans, risk assessments, implementation of security standards and certifications, encryption of data, network security controls, data segregation, access controls, physical security, asset management, tracking and disposal, systems monitoring, vendor risk management program, employee training and penetration testing.
Our assessment and management of material risks from cybersecurity threats are integrated into our overall risk management processes. For example, cybersecurity risk is addressed as a component of our enterprise risk management program, and members of our management team, IT department and other relevant team members work together to prioritize our risk management processes, mitigate cybersecurity threats that are more likely to lead to a material impact to our business, and report regularly to our board of directors on cybersecurity matters.
We use third-party service providers to assist us from time to time to identify, assess, and manage material risks from cybersecurity threats, including for example managed cybersecurity service providers, threat intelligence service providers, dark web monitoring services, and other cybersecurity software providers.
We use third-party service providers to perform a variety of functions throughout our business, including but not limited to application providers, hosting companies, contract manufacturing organizations and contract research organizations. We have a vendor management program to oversee, identify and manage cybersecurity risks associated with our use of these providers. The program includes a risk assessment for vendors that may include, depending on the vendor and nature of services being performed, security questionnaires, review of the vendor's written security program, review of security assessments, audits and reports, vulnerability scans related to the vendor, security assessment calls with the vendor's security personnel, and the imposition of certain contractual obligations on the vendor, among other elements, in accordance with the processes outlined in our internal vendor selection, management, and oversight process policy and other internal guidelines. More specifically, the level of assessment may depend on the following: the nature of the services provided and the data the vendors may collect, retain, and utilize, the sensitivity of the Information Systems and Data at issue, and the identity of the provider.
For a description of the risks from cybersecurity threats that may materially affect us and how they may do so, see our risk factors under Part 1. Item 1A. Risk Factors in this Annual Report on Form 10-K, including the risk factor captioned “If our information technology systems or data, or those of third parties upon which we rely, are or were compromised, we could experience adverse impacts resulting from such compromise, including, but not limited to, regulatory investigations or actions; litigation; fines and penalties; interruptions to our commercial operations, clinical trials or other operations; harm to our reputation; loss of revenue or profits; loss of sales and other adverse consequences.”
Governance
63
Our board of directors addresses our cybersecurity risk management as part of its general oversight function.
Our cybersecurity risk assessment and management processes are implemented and maintained by various members of our management team, IT department and other employees, including but not limited to the individuals on our cybersecurity incident management team, which includes individuals who have a diverse combination of relevant expertise, experience, education and training, with representation from our IT, legal, human resources, compliance, risk and privacy functions, among others. Our team includes individuals with relevant experience in enterprise risk management and disclosure controls and procedures. Additionally, certain members of our IT department have experience managing cybersecurity programs and are specifically assigned cybersecurity oversight.
Certain members of our management team and IT department are responsible for hiring appropriate personnel, helping to integrate cybersecurity risk considerations into our overall risk management strategy, communicating key priorities to relevant personnel, approving budgets, helping prepare for cybersecurity incidents, approving cybersecurity processes, and reviewing security assessments and other security-related reports.
Our cybersecurity incident response processes are designed to escalate certain cybersecurity incidents to members of management depending on the circumstances, including in some cases to our executive team. Our cybersecurity incident management team, and other individuals as needed, work to help us mitigate and remediate cybersecurity incidents of which we are notified. In addition, our incident response processes include a procedure for reporting certain cybersecurity incidents to the board of directors.
The board of directors receives regular reports from management concerning our cybersecurity risk management program. The board also receives various summaries and/or presentations related to cybersecurity threats, risks and mitigation.
Commencing in 2024, our Nominating / Corporate Governance Committee is taking the lead on behalf of the board of directors on oversight of our cybersecurity risk management program.