Replimune Group, Inc. - (REPL)
10-K Filing Date: May 16, 2024
Item 1C. Cybersecurity
We have policies, procedures, and processes for assessing, identifying, and managing cybersecurity risks, which are built into our overall information technology function and are designed to help protect our information assets and operations from internal and external cyber threats as well as secure our networks and systems. Such processes include procedural and technical safeguards, response plans, regular vulnerability and penetration tests on our systems and product applications, incident simulations, and routine review of our policies and procedures to identify risks and improve our practices. Our security incident response plan is designed to help coordinate our response to, and recovery from, cybersecurity incidents, and includes processes to assess the severity of, escalate, contain, investigate, and remediate incidents as well as to comply with applicable legal obligations. We maintain cyber insurance coverage; however, such insurance may not be sufficient in type or amount to cover us against claims related to security breaches, cyber-attacks, and other related breaches.
We engage certain external parties to enhance our cybersecurity processes and strategies. Depending on the nature of the services provided, the sensitivity and quantity of information processed, and the identity of the service provider, we evaluate the security and risk posture according to the perceived level of risk and in accordance with industry standard best practices.
Our audit committee of the Board of Directors provides direct oversight over cybersecurity risk and provides applicable updates to the Board of Directors regarding such oversight. Members of management responsible for data privacy, technology, and information security risks join our audit committee meetings from time to time to discuss these risks, risk management activities, incident response plans, best practices, the effectiveness of our security measures, and other related matters.
Our Chief Information Officer, who reports to our Chief Financial Officer, leads the operational oversight of company-wide cybersecurity strategy, policy, standards, and processes and works across relevant departments to assess and help prepare us and our employees to address cybersecurity risks. Specific cybersecurity related responsibilities include overseeing our processes and strategies for the detection, mitigation, and remediation of cybersecurity incidents. Our Chief Information Officer has extensive experience assessing and managing cybersecurity and risk programs having served in relevant positions of increasing responsibility for over 25 years at several private and public companies.
In an effort to deter and detect cyber threats, we provide all employees with routine response and prevention training, which covers timely and relevant topics, including social engineering, phishing, password protection, confidential data protection, asset use, and mobile security, and educates employees on the importance of reporting all incidents promptly. We also use technology-based tools to mitigate cybersecurity threats and risks and to bolster our employee-based cybersecurity programs.
Despite our cybersecurity efforts, we may not be successful in preventing or mitigating a cybersecurity incident that could have a material adverse effect on us. See Part I, Item 1A, Risk Factors, in this Annual Report for a discussion of cybersecurity risks.