IRONWOOD PHARMACEUTICALS INC - (IRWD)
10-K Filing Date: February 16, 2024
We have a multilayered framework for assessing, identifying, detecting and responding to reasonably foreseeable cybersecurity risks and threats. To protect our information technology, or IT, systems from cybersecurity threats, we use various security tools that help prevent, identify, escalate, investigate, resolve and recover from identified vulnerabilities and security incidents in a timely manner. In the event of a material change to our systems or operations, we would conduct an assessment of the internal and external threats to the security, confidentiality, integrity, and availability of our data and systems, along with other material risks to our operations. We leverage third-party security services for audit, benchmarking, and improvement and use various tools and methodologies to manage cybersecurity risks that are tested regularly, including a cybersecurity assessment guided by the National Institute of Standards and Technology (NIST) cybersecurity framework and ongoing security awareness training. We oversee third-party service providers by conducting vendor diligence upon onboarding and ongoing monitoring. Vendors are assessed for risk based on the nature of their digital footprint, company profile, domain name services health, internet protocol reputation, external access threats and social engineering landscapes, based on that assessment, we conduct diligence that may include completing security questionnaires, onsite evaluation, and scans or other technical evaluations. We also monitor and evaluate our cybersecurity posture and performance on an ongoing basis through regular vulnerability scans, simulated phishing tests, penetration tests, and threat intelligence feeds. The results of these assessments are reported to the Audit Committee of the Board of Directors.
We have developed an incident response plan designed to coordinate the activities that we and our third-party security service provider take to prepare to respond and recover from cybersecurity incidents, which include processes to triage, assess severity, investigate, escalate, contain, and remediate an incident, as well as to comply with potentially applicable legal obligations and mitigate any reputational damage.
Our business strategy, results of operations and financial condition have not been materially affected as a result of previously identified cybersecurity incidents, but we cannot provide assurance that they will not be materially affected in the future by such risks or any future material incidents. For more information on our cybersecurity-related risks, see Item 1A, Risk Factors, elsewhere in this Annual Report on Form 10-K.
The Company’s Chief Information Officer, or CIO, is responsible for developing and implementing our information security program and reporting on cybersecurity matters to the Audit Committee of the Board of Directors and management. Our CIO has over 20 years of cybersecurity experience in various roles involving information security, developing cybersecurity strategies, and implementing cybersecurity programs.
Our Board of Directors is responsible for overseeing our enterprise risk management activities in general, and each of our Board committees assists the Board in the role of risk oversight. The Audit Committee of the Board of Directors oversees our cybersecurity risk and receives regular reports, with a minimum frequency of once per year, from our CIO on various cybersecurity matters, including risk assessments, mitigation strategies, areas of emerging risks, incidents and industry trends, and other areas of importance. Promptly after becoming aware of a material cybersecurity incident affecting our IT systems or data, the Audit Committee would work with management to formulate a mitigation plan and review compliance with such plan, as well as to ensure compliance with any external regulatory or disclosure requirements, including any disclosures of material cybersecurity breaches.