Vanda Pharmaceuticals Inc. - (VNDA)

10-K Filing Date: February 08, 2024
ITEM 1C.
CYBERSECURITY
Cybersecurity Risk Management and Strategy
We recognize the importance of assessing, identifying, and managing material risks associated with cybersecurity threats, as such term is defined in Item 106(a) of Regulation S-K. These risks include, among other things, operational risks; intellectual property theft; fraud; extortion; harm to employees or customers; violation of privacy or security laws and other litigation and legal risk; and reputational risks. We have implemented several cybersecurity processes, technologies, and controls to aid in our efforts to assess, identify, and manage such material risks.
Our process for identifying and assessing material risks from cybersecurity threats operates alongside our broader overall risk assessment process, covering all company risks. As part of this process, appropriate personnel will collaborate with subject matter specialists, as necessary, to gather insights for identifying and assessing material cybersecurity threat risks, their severity and potential mitigations.
We also have a cybersecurity specific risk assessment process, which helps identify our cybersecurity threat risks. As part of this process, and our processes to provide for the availability of critical data and systems, maintain regulatory compliance, identify and manage our risks from cybersecurity threats and to protect against, detect and respond to cybersecurity incidents, as such term is defined in Item 106(a) of Regulation S-K, we undertake the below listed activities, among others:
comparing our processes to benchmark standards, such as those set by the National Institute of Standards and Technology (NIST);
closely monitor emerging data protection laws and implement changes to our processes designed to comply;
conduct annual customer data handling and use requirements training for employees;
conduct annual cybersecurity management and incident training for employees involved in our systems and processes that handle sensitive data;
through policy, practice and contract (as applicable) require employees, as well as third-parties who provide services on our behalf, to treat customer information and data with care;
run tabletop exercises to simulate a response to a cybersecurity incident and use the findings to improve our processes and technologies;
conduct regular network and endpoint monitoring, vulnerability assessments, and penetration testing to improve our information systems, as such term is defined in Item 106(a) of Regulation S-K;
leverage the NIST incident handling framework to help us identify, protect, detect, respond, and recover when there is an actual or potential cybersecurity incident; and
carry information security risk insurance that provides protection against the potential losses arising from a cybersecurity incident.
65


Table of Contents
Our incident response plan coordinates the activities we take to prepare for, detect, respond to and recover from cybersecurity incidents, which include processes to triage, assess severity for, escalate, contain, investigate and remediate the incident, as well as to comply with potentially applicable legal obligations and mitigate brand and reputational damage.
As part of the above processes, we may engage with assessors, consultants, auditors, and other third-parties, including by having a third-party review our cybersecurity program to help identify areas for continued focus, improvement and/or compliance.
Our processes also address cybersecurity threat risks associated with our use of third-party service providers, including those in our supply chain, our CROs or those who have access to our customer and employee data or our systems. Third-party risks are included within our broader overall risk assessment process, as well as our cybersecurity-specific risk identification program, both of which are discussed above. In addition, cybersecurity considerations affect the selection and oversight of our third-party service providers. We perform diligence on third-parties that have access to our systems, data or facilities that house such systems or data, and continually monitor cybersecurity threat risks identified through such diligence.
We describe whether and how risks from identified cybersecurity threats have materially affected or are reasonably likely to materially affect us, including our business strategy, results of operations, or financial condition, under the risk factors entitled “We are increasingly dependent on information technology systems, infrastructure and data. Cybersecurity breaches could expose us to liability, damage our reputation, compromise our confidential information or otherwise adversely affect our business,” and “Our internal computer systems, or those of our collaborators, CROs or other contractors or consultants, may fail or suffer security breaches, which could result in a material disruption of development programs for our product candidates,” in Part I, Item 1A of this Annual Report on Form 10-K, each of which is incorporated herein by reference.
Cybersecurity Governance
Cybersecurity is an important part of our risk management processes and an area of increasing focus for our Board and management.
Our Audit Committee is responsible for the oversight of risks from cybersecurity threats. At least quarterly, the Audit Committee receives an overview from management of our cybersecurity threat risk management and strategy processes covering topics such as data security posture, results from third-party assessments, progress towards pre-determined risk-mitigation-related goals, our incident response plan, and material cybersecurity threat risks or incidents and developments, as well as the steps management has taken to respond to such risks. Members of the Audit Committee are also encouraged to regularly engage in ad hoc conversations with management on cybersecurity-related news events and discuss any updates to our cybersecurity risk management and strategy programs. Material cybersecurity threat risks are also considered during separate Board meeting discussions of important matters like risk management, business continuity planning, brand management, and other relevant matters.
Our cybersecurity risk management and strategy processes, which are discussed in greater detail above, are led by a team of senior level management, including our President, Chief Executive Officer and Chairman of the Board, Senior Vice President, Chief Financial Officer and Treasurer, Senior Vice President, General Counsel and Secretary, and VP of Information Technology. Such individuals collectively have significant prior work experience in various roles involving managing information security, developing cybersecurity strategy and implementing effective information and cybersecurity programs.
These members of management are informed about and monitor the prevention, mitigation, detection, and remediation of cybersecurity incidents through their management of, and participation in, the cybersecurity risk management and strategy processes described above, including the operation of our incident response plan.
As discussed above, these members of management report to the Audit Committee about cybersecurity threat risks, among other cybersecurity related matters.

© 2024 Material-Incidents. All rights reserved.