10-K Filing Date: April 01, 2024


Risk Management and Strategy


Omeros maintains a cybersecurity risk management program that is designed to assess, identify, manage and respond to risks from cybersecurity threats in a robust manner. This program shares certain common methodologies, reporting channels and governance processes applicable to our management of other risk areas, such as legal, compliance, strategic, operational and financial risk.


We utilize a range of internal and external resources to assess and identify cybersecurity threats and vulnerabilities. We access and utilize information drawn from a range of publications, reports and services to assess our cybersecurity risk profile, develop awareness of emerging cybersecurity threats and threat actors and identify risk factors that are particularly relevant to the biotechnology and pharmaceutical sector and to our company. We also work with third parties that assist us to identify, assess and manage cybersecurity risks, including external auditors, consulting firms, managed security service providers and penetration testing firms.


We have implemented and maintain various technical, physical and organizational measures, processes, standards and/or policies designed to manage and mitigate material risks from cybersecurity threats. These include data encryption, network security controls, access controls, physical security, asset management, system hardening, vulnerability management and patching and continuous monitoring of information technology systems and network telemetry data using a variety of manual and automated tools and systems designed to detect and respond to suspicious or unusual activity. We maintain systems and plans for business continuity and disaster recovery and have implemented tools and procedures for cybersecurity incident detection and response. We also operate a cybersecurity training program for employees that includes required webinars and deployment of simulated phishing and similar attacks in which threat actors utilize social engineering to gain access to company systems.


We take a risk-weighted approach to mitigation of cybersecurity risks associated with use of third-party service providers. Based on an assessment of the cybersecurity risks presented by a given third-party service provider, we seek to minimize third-party cybersecurity risk on a case-by-case basis, generally through a combination of due diligence in the selection of qualified vendors and the imposition of contractual terms requiring the vendor to maintain specified cybersecurity safeguards and/or to accept financial responsibility for security breaches occurring within the vendor’s area of responsibility.


We are not aware of any specific risks from specific cybersecurity threats, and have not experienced any previous cybersecurity incidents, that have materially affected or are reasonably likely to materially affect our company, including our business strategy, results of operations or financial condition. While we continue to invest in the security and resiliency of our information technology systems and to enhance our cybersecurity controls and processes, we cannot provide assurance that a future cybersecurity incident will not occur or that it would not materially affect our company. Please see Item 1A of Part I of this Annual Report under the heading “Risk Factors” for additional discussion about risks related to cybersecurity.




Cybersecurity is an important part of our risk management processes and an area of focus for our board of directors and management. Pursuant to its charter, the audit committee of our board of directors is responsible for the oversight of management’s efforts to address cybersecurity risk. Management reports to the audit committee on cybersecurity risk matters periodically, typically twice annually. These reports normally address matters such as: the evolving cybersecurity risk environment and the emergence of new threats; outcomes and learnings from penetration testing, security audits or vulnerability assessments; evaluation of existing controls, tools and procedures and progress on implementation of any new initiatives to manage and mitigate cybersecurity risk. In addition, members of our board of directors regularly engage in discussions with management on cybersecurity-related news events and discuss any updates to our cybersecurity risk management and strategy programs.


Our cybersecurity risk management program is managed by our Director of Information Technology (the “IT Director”), whose team is responsible for leading enterprise-wide cybersecurity strategy, policy, standards, architecture and processes. The IT Director has been with the organization since 2007, has a post-graduate degree in Information Security, and is a member of InfraGard, a partnership between the Federal Bureau of Investigation and members of the private sector for the protection of U.S. critical infrastructure. The IT Director is informed about and monitors prevention, detection, mitigation and remediation of cybersecurity risks and incidents through various means, which may include, among other things, briefings with dedicated internal security personnel, threat intelligence and other information obtained from governmental, public or private sources, including external consultants engaged by us, and alerts and reports produced by security tools deployed in our information technology environment. The IT Director provides periodic reports on cybersecurity risk to the audit committee of our board of directors, as well as our chief executive officer and other members of our senior management as appropriate.