Viking Therapeutics, Inc. - (VKTX)

10-K Filing Date: February 07, 2024
Item 1C. Cybersecurity

Our board of directors is responsible for overseeing our risk management program and cybersecurity is a critical element of this program. Management is responsible for the day-to-day administration of our risk management program and our cybersecurity policies, processes, and practices. Our cybersecurity policies, standards, processes, and practices are based on recognized frameworks established by the National Institute of Standards and Technology, the International Organization for Standardization and other applicable industry standards and are fully integrated into our overall risk management system and processes as part of our IT security incident response plan.

Cybersecurity Risk Management and Strategy

Our cybersecurity risk management strategy focuses on several areas:

Identification and Reporting: We have implemented a cross-functional approach to assessing, identifying and managing material cybersecurity threats and incidents. Our program includes controls and procedures to identify, classify and escalate certain cybersecurity incidents to provide management visibility and obtain direction from management as to the public disclosure and reporting of material incidents in a timely manner.
Technical Safeguards: We implement technical safeguards that are designed to protect our information systems from cybersecurity threats, including firewalls, intrusion prevention and detection systems, anti-malware functionality, and access controls, which are evaluated and improved through vulnerability assessments and cybersecurity threat intelligence, as well as outside audits and certifications.
Incident Response and Recovery Planning: We have established and maintain comprehensive incident response, business continuity, and disaster recovery plans designed to address our response to a cybersecurity incident. We conduct regular tabletop exercises to test these plans and ensure personnel are familiar with their roles in a response scenario.
Third-Party Risk Management: We maintain a risk-based approach to identifying and overseeing material cybersecurity threats presented by third parties, including vendors, service providers, and other external users of our systems, as well as the systems of third parties that could adversely impact our business in the event of a material cybersecurity incident affecting those third-party systems, including any outside auditors or consultants who advise on our cybersecurity systems.
Education and Awareness: We provide regular, mandatory training for all employees regarding cybersecurity threats as a means to equip our employees with tools to make employees aware of and to address cybersecurity threats, and to communicate our evolving information security policies, standards, processes, and practices.

We conduct periodic assessments and testing of our policies, standards, processes, and practices in a manner intended to address cybersecurity threats and events. The results of such assessments, audits, and reviews are evaluated by management and reported to our Audit Committee and our board of directors, and we adjust our cybersecurity policies, standards, processes, and practices as necessary based on the information provided by these assessments, audits, and reviews. Risks from cybersecurity threats, including as a result of any previous cybersecurity incidents, have not materially affected and are not reasonably likely to materially affect our company, including our business strategy, results of operations, or financial condition.

Governance

Our board of directors, in coordination with our Audit Committee, oversees our risk management program, including the management of cybersecurity threats. Our board of directors and our Audit Committee each receive regular presentations and reports on developments in the cybersecurity space, including risk management practices, recent developments, evolving standards, vulnerability assessments, third-party and independent reviews, the threat environment, technological trends, and information security issues encountered by our peers and third parties. Our board of directors and our Audit Committee also receive prompt and timely information regarding any cybersecurity risk that meets pre-established reporting thresholds, as well as ongoing updates regarding any such risk. On an annual basis, our board of directors and the Audit Committee discuss our approach to overseeing cybersecurity threats with our Information Systems Representative and other members of senior management.

57


 

The Information Systems Representative, in coordination with senior management including our Chief Executive Officer and Chief Financial Officer, works collaboratively across our company to implement a program designed to protect our information systems from cybersecurity threats and to promptly respond to any material cybersecurity incidents in accordance with our incident response and recovery plans. To facilitate the success of our cybersecurity program, a cross-functional team throughout our company addresses cybersecurity threats and responds to cybersecurity incidents. Through ongoing communications with this team, the Information Systems Representative and senior management are informed about and monitor the prevention, detection, mitigation and remediation of cybersecurity threats and incidents in real time and report such threats and incidents to the Audit Committee when appropriate. The Information Systems Representative has served in various roles in information technology and information security for over 25 years, including serving as the Director of Information Technology of another public company.