NEUROCRINE BIOSCIENCES INC - (NBIX)
10-K Filing Date: February 09, 2024
Item 1C. Cybersecurity
Risk Management and Strategy. We rely on information technology and data to operate our business and develop, market, and deliver our therapies to our customers. We have implemented and maintain various information security processes designed to identify, assess and manage material risks from cybersecurity threats to critical computer networks, third party hosted services, communications systems, hardware, lab equipment, software, and our critical data includes confidential, personal, proprietary, and sensitive data (collectively “Information Assets”). Accordingly, we maintain certain risk assessment processes intended to identify cybersecurity threats, determine their likelihood of occurring, and assess potential material impact to our business. Based on our assessment, we implement and maintain risk management processes designed to protect the confidentiality, integrity, and availability of our Information Assets and mitigate harm to our business.
The Company’s general risk management program is designed to manage identified material risks, which would include material cybersecurity risks.
We engage in processes designed to identify such threats by, among other things, monitoring the threat environment using manual and automated tools, subscribing to reports and services that identify cybersecurity threats, analyzing reports of threats and actors, conducting scans of the threat environment, evaluating our and our industry’s risk profile, evaluating threats reported to us, coordinating with law enforcement concerning threats, conducting threat assessments for internal and external threats, and conducting vulnerability assessments to identify vulnerabilities.
We rely on a multidisciplinary team (including from our information security function, management, and third party service providers, as described further below) to assess how identified cybersecurity threats could impact our business. These assessments may leverage, among other processes, industry tools and metrics designed to assist in the assessment of risks from such cybersecurity threats.
Depending on the environment, we implement and maintain various technical, physical and organizational measures designed to manage and mitigate material risks from cybersecurity threats to our Information Assets. The cybersecurity risk management and mitigation measures we implement for certain of our Information Assets include: policies and procedures designed to address cybersecurity threats, including an incident response plan, vulnerability management policy, and disaster recovery/business continuity plans; incident detection and response tools; internal and/or external audits to assess our exposure to cybersecurity threats, environment, compliance with risk mitigation procedures, and effectiveness of relevant controls; documented risk assessments; implementation of security standards/certifications; credit and background checks on our and/or third parties’ personnel; encryption of data; network security controls; threat modeling; data segregation; physical and electronic access controls; physical security; asset management, tracking and disposal; systems monitoring; vendor risk management program; employee security training; penetration testing; red/blue team exercises; cyber insurance; dedicated cybersecurity staff/officer.
We work with third parties from time to time that assist us from time to time to identify, assess, and manage cybersecurity risks, including professional services firms, threat intelligence service providers, cybersecurity consultants, cybersecurity software providers, managed cybersecurity service providers, and penetration testing.
49
To operate our business, we utilize certain third-party service providers to perform a variety of functions, such as outsourced business critical functions, clinical research, professional services, SaaS platforms, managed services, property management, cloud-based infrastructure, data center facilities, content delivery, encryption and authentication technology, corporate productivity services, and other functions. We have certain vendor management processes designed to help to manage cybersecurity risks associated with our use of certain of these providers. Depending on the nature of the services provided, the sensitivity and quantity of information processed, and the identity of the service provider, our vendor management process may include reviewing the cybersecurity practices of such provider, contractually imposing obligations on the provider related to the services they provide and/or the information they process, conducting security assessments, conducting on-site inspections, requiring their completion of written questionnaires regarding their services and data handling practices, and conducting periodic re-assessments during their engagement.
For a description of the risks from cybersecurity threats that may materially affect us and how they may do so, refer to Part I, Item 1A. Risk Factors for additional information about cybersecurity-related risks.
Governance. Our cybersecurity risk assessment and management processes are implemented and maintained by certain Company management, including a Chief Information Officer, who reports to the CFO. Management is also responsible for hiring appropriate personnel, integrating cybersecurity considerations into the company’s overall risk management strategy, and for communicating key priorities to employees, as well as for approving budgets, helping prepare for cybersecurity incidents, approving cybersecurity processes, and reviewing security assessments and other security-related reports. Our cybersecurity incident response and vulnerability management processes involve management, who participates in our disclosure controls and procedures.
Our cybersecurity incident response and vulnerability management processes are designed to escalate certain cybersecurity incidents and vulnerabilities to members of management depending on the circumstances, including work with the company’s incident response team to help the company mitigate and remediate cybersecurity incidents of which they are notified. In addition, the company’s incident response processes include reporting to the Audit committee of the board of directors for certain cybersecurity incidents.
Management is involved with the Company’s efforts to prevent, detect, and mitigate cybersecurity incidents by overseeing preparation of cybersecurity policies and procedures, testing of incident response plans, engagement of vendors to conduct penetration tests. Management participates in cybersecurity incident response efforts by being a member of the incident response team and helping direct the company’s response to cybersecurity incidents.
Our board of directors addresses the Company’s cybersecurity risk management as part of its general oversight function. The board of directors’ audit committee is responsible for overseeing the company’s cybersecurity risk management processes, including oversight and mitigation of risks from cybersecurity threats. The audit committee also has access to various reports, summaries or presentations related to cybersecurity threats, risk, and mitigation.