Aurinia Pharmaceuticals Inc. - (AUPH)
10-K Filing Date: February 15, 2024
Item 1C. Cybersecurity
Risk Management and Strategy
We maintain a cybersecurity risk management program and related policies and processes to identify, assess and manage material risks from cybersecurity threats.
Our Information Security Policy is designed to align with certain best practices, including the EU General Data Protection Regulation (GDPR). This policy promotes the management and execution of our information security framework for preserving the confidentiality, integrity, availability and privacy of our information assets, including by helping enable us to better oversee, monitor and identify certain risks related to the processing of information by authorized third-party service providers. We also have an Information Technology (IT) Steering Committee to help ensure security and compliance across our IT services. We have in the past, and may in the future, engage third parties to assess the effectiveness of our cybersecurity prevention and response systems and processes.
During 2023, we refreshed our business continuity program to assess the resilience of our processes and systems against potential threats, including cyber-attacks. Our refreshed crisis management and business continuity program establishes crisis management instructions with a detailed plan for each business department outlining critical processes, internal and external dependencies and recovery strategies. In addition, routine information security training and updates are regularly rolled out to our employees, and we track certain metrics that we believe help ensure we have a strong security posture.
To date, cybersecurity threats, including those resulting from any previous cybersecurity incidents, have not materially affected our Company, including our business strategy, results of operations or financial condition. We do not believe that cybersecurity threats resulting from any previous cybersecurity incidents of which we are aware are reasonably likely to materially affect our Company.
One of the key functions of our Board is informed oversight of our risk management process. Our Board does not have a standing risk management committee, but rather administers this oversight function directly through the Board, as well as through various standing committees of our Board that address risks inherent in their respective areas of oversight. The Board as a whole regularly (and no less than annually) reviews management's annual enterprise risk assessment, business continuity process and cybersecurity posture. Our Audit Committee is responsible for overseeing the management of risks associated with our financial reporting, accounting and auditing matters, as well as business related risks (such as leadership, continuity, cybersecurity and matters relating to our commercial activities), reviewing as required our processes around the management and monitoring of such risks, as well as conducting a risk assessment review. Our Audit Committee charter sets forth the responsibilities of the Audit Committee consistent with the rules and regulations of the applicable SEC and the Nasdaq rules, including reviewing the Company's approach to risk mitigation with respect to IT and cybersecurity. An information security update is provided quarterly, or as needed, to the Audit Committee, with a detailed review provided at least annually, or as needed.
In addition, our Chief Information Officer (CIO) is responsible for leading the assessment and management of cybersecurity risks. Our CIO has over 20 years of experience in information security and holds an MBA from The George B. Delaplaine School of Business and Economics. Our CIO regularly receives reports from our Head of IT Operations on cybersecurity threats and incidents, as applicable.