Roivant Sciences Ltd. - (ROIV)
10-K Filing Date: May 30, 2024
CYBERSECURITY
Cybersecurity Risk Management and Strategy
Roivant’s corporate information security organization, led by our Chief Information Security Officer (“CISO”), is responsible for our overall information security strategy, policy, security engineering, operations and cybersecurity threat and incident detection and response centrally at Roivant and the majority of our Vants. Certain of our Vants, including Immunovant, Dermavant and our healthcare technology Vants, have established and maintain separate cybersecurity functions which are similarly designed to protect their information and assets from cybersecurity threats or incidents.
Roivant and the Vants’ information security organization manages a robust enterprise security structure with the goal of preventing and mitigating any cybersecurity incidents, while simultaneously working to continually increase information technology system resilience designed to minimize any business impact should a cybersecurity incident occur. Central to Roivant’s information security organization is our Cybersecurity Incident Response Team, which is responsible for the protection, detection and response capabilities used to protect our data and enterprise computing networks. A Cybersecurity Risk Governance Committee oversees processes for identifying and mitigating cybersecurity threats and incidents and helps align our risk exposure with our strategic objectives. Cybersecurity threats and incidents deemed to have a moderate or higher business impact, even if immaterial to us as a whole, are reported to the Corporate Risk Management Committee and shared with Roivant’s board of directors.
Roivant and the Vants implement multiple levels of cybersecurity measures, including standard malware detection and prevention software, email security programs, privileged access management, vulnerability detection and remediation software, security patching management, security event logging and reviews and special isolation and access controls for data repositories that may contain sensitive information, including protected health information.
Roivant and the Vants’ cybersecurity programs are informed by industry standards and includes periodic risk assessments and security testing supported by cybersecurity technologies, including third-party security solutions, vulnerability management, and monitoring tools, designed to monitor, identify and manage risks from cybersecurity threats and incidents. In addition, we have implemented employee security and awareness training related to cybersecurity threats and incidents.
Roivant and the Vants undergo periodic internal compliance audits and external reviews to evaluate our controls, including cybersecurity controls. Additionally, a majority of our information technology systems are built on services provided by third parties. In an effort to minimize third-party risk, we have established a process designed to assess the cybersecurity practices of third-party suppliers and related risks, including through review of relevant supplier certifications and cybersecurity procedures and responses to standardized information-gathering questionnaires, as we deem applicable and appropriate. Our control over and ability to monitor the security posture of third parties with whom we do business remains limited and there can be no assurance that we can prevent, mitigate or remediate the risk of any compromise or failure in the security infrastructure owned or controlled by such third parties. Additionally, any contractual protections with such third parties, including our right to indemnification, if any at all, may be limited or insufficient to prevent a negative impact on our business from any such compromise or failure.
Governance Related to Cybersecurity Risks
Roivant’s board of directors oversees our overall risk management strategy, including with respect to cybersecurity risks. Cybersecurity risk management policies and procedures are integrated into our overall risk management strategy, which is overseen by the audit committee of the board of directors (“Audit Committee”). At least annually, the Audit Committee discusses our risk management program, including any information security and technology risks and findings from any audits, with our internal audit staff, including our Chief Accounting Officer.
At the management level, our CISO is primarily responsible for leading our cybersecurity strategy centrally at Roivant and the majority of our Vants. Our CISO has extensive cybersecurity experience across a wide array of industries, with previous leadership positions specializing in safeguarding healthcare data across various health technology companies.
At Immunovant, Dermavant and the healthcare technology Vants that have established and maintain separate cybersecurity functions, governance is similarly overseen in the first instance by the boards of directors of those Vants as part of their overall risk management strategy, with ultimate oversight on a company-wide basis by the Roivant board of directors.