INCYTE CORP - (INCY)
10-K Filing Date: February 13, 2024
Item 1C. Cybersecurity
Incyte is committed to maintaining robust oversight and governance of potential cybersecurity risks and to implementing processes and controls that help us identify, assess and manage such risks. To date, we have not experienced a cybersecurity threat or incident that has resulted in a material adverse impact to our business or operations. However, we cannot guarantee that we will not experience such a threat or incident in the future, given the increasing sophistication of those responsible for cybersecurity incidents. While we seek to detect and investigate unauthorized attempts and attacks against our network and to prevent their occurrence where practicable through our internal processes and tools, we remain potentially vulnerable to known or unknown threats. In some instances, we can be unaware of a threat or incident or its magnitude and effects. Further, there is increasing regulation regarding responses to cybersecurity incidents, including reporting to regulators, which could subject us to additional liability and reputational harm. See "Item 1A. Risk Factors" for more information on our cybersecurity risks.
We aim to incorporate and align with industry best practices throughout our cybersecurity program. Our cybersecurity strategy focuses on implementing effective and efficient controls, technologies and other processes to assess, identify, manage and mitigate material cybersecurity risks. These include, among other things, having mechanisms in place to detect and monitor unusual network activity, utilizing vulnerability assessment scans and tools, and conducting external and internal penetration tests and security assessments using the National Institute of Standards and Technology (NIST) Cybersecurity Framework. We engage third party experts to assist with numerous aspects of our cybersecurity program, including vulnerability assessment scans, penetration tests and security assessments. These outside experts are utilized on a rotating basis to enable us to receive multiple viewpoints on the security of our technological resources. Additionally, from time to time, our internal audit function, reviews and assesses various aspects of our cybersecurity program. We also engage in threat intelligence monitoring, including monitoring the dark web and zero-day vulnerability and attack information, and have processes in place to assess the potential cybersecurity impact or risk of any identified threats on our company, including potential impacts on our business partners and other parties with whom we share information. We actively engage with industry groups for peer benchmarking purposes and to stay current on best practices. We rely heavily on our vendors and other third party service providers in our clinical development activities as well as to manufacture and deliver our products, and a cybersecurity incident at a vendor or other third party service provider could have a material and adverse impact on our business, results of operations and financial condition. We have further processes in place to assess the cybersecurity risks associated with our vendors and other third-party service providers, and we require such providers to take appropriate precautions to protect our data and to notify us promptly in the event of any known or suspected data breach or cyber incident.
Our cybersecurity program is integrated into our broader approach to risk management, and ultimate oversight for the program sits with our Board of Directors. The Board of Directors is aided by its Audit and Finance Committee, which regularly reviews our cybersecurity program with management and reports to the Board of Directors. Cybersecurity reviews by the Audit and Finance Committee or the Board of Directors generally occur at least twice annually, or more frequently as determined to be necessary or advisable.
Incyte’s Chief Information Security Officer (CISO) runs our cybersecurity program. Our CISO, who holds numerous cybersecurity and related certifications, including Certified Information Systems Security Professional, reports in to our Chief Information Officer (CIO). Our CISO and CIO have extensive experience assessing and managing cybersecurity programs and cybersecurity risk. They regularly report directly to the Audit and Finance Committee or the Board of Directors on our cybersecurity program and our efforts to prevent, detect, mitigate and remediate cybersecurity incidents. In addition, we have an escalation process in place to inform senior management and the Board of Directors of any material issues as they arise.