Xilio Therapeutics, Inc. - (XLO)
10-K Filing Date: April 01, 2024
Item 1C. Cybersecurity
Cybersecurity Risk Management and Strategy
We have established processes for assessing, identifying and managing cybersecurity risks, which are built into our overall information technology, or IT, function. These processes are designed to help protect our operations and information assets from unauthorized access or attack, as well as secure our networks and information systems. Such processes include technical, procedural, and organizational safeguards, including, without limitation: detection and response platforms on all endpoints within the organization; various additional security tools designed to help protect, identify, escalate, investigate, resolve and recover from security incidents in a timely manner; monitoring and regular testing of our data controls and provenance for vulnerabilities; incident simulations; incident response plans; employee training, including bimonthly phishing simulations to provide “experiential learning” on how to recognize phishing attempts; integrated and easily accessible mechanisms available to all employees that encourage proactive reporting of any perceived or actual vulnerabilities across the organization; and routine review of our policies and procedures to identify risks and refine our practices.
As part of these processes, we engage a third-party penetration testing firm to conduct annual penetration testing from both internal and external perspectives to identify and mitigate potential vulnerabilities. We also consider the internal risk oversight programs of third-party service providers, and our IT department uses an audit review process to evaluate the internal controls of third-party vendors who will have access to personally identifiable information or our confidential financial data.
We do not believe there are currently any known risks from cybersecurity threats, including as a result of any previous cybersecurity incident of which we are aware, that are reasonably likely to materially affect our business strategy, results of operations or financial condition. For more information regarding cybersecurity risks and the potential related impacts on our Company, please see the risk factor beginning with the caption “We depend on our information technology systems and those of our third-party service providers, and any failure of these systems could harm our business” in Part I, Item 1A. “Risk Factors” in this Annual Report on Form 10-K.
Governance
Our board of directors is responsible for monitoring and assessing strategic risk exposures, including reviewing our policies and practices with respect to risk assessment and risk management. The audit committee of our board of directors assists the board of directors with this responsibility by discussing our risk assessment and risk management policies, including the guidelines and policies that govern the process by which we manage our exposure to cybersecurity risks, with members of management on a periodic basis, and the audit committee is notified between such updates regarding significant new cybersecurity threats or incidents. The audit committee, in turn, periodically reports on its review to the board of directors.
Management is responsible for the day-to-day assessment and management of cybersecurity risks. Our senior vice president of information technology, or our SVP, IT, has primary oversight of material risks from cybersecurity threats and leads the operational oversight of company-wide cybersecurity strategy, policy, standards and processes, including through his management of, and participation in, the cybersecurity risk management and strategy processes described above, and his oversight of our incident response plans and escalation procedures described below. Our SVP, IT reports to our chief operating officer, or COO, and is an experienced information technology leader with over 25 years of expertise in cybersecurity defense, both in academic and corporate environments. This experience includes, but is not limited to, data defense, perimeter and infrastructure defense, corporate risk awareness, compliance adherence, and cybersecurity training and leadership.
We have also established a cross-functional information security counsel, or ISC, led by our SVP, IT, that brings together representatives from across the organization, including from our IT, finance, clinical, human resources, research and
119
development, program leadership, facilities, and legal functions, that is responsible for reviewing, responding, mitigating and reporting all cybersecurity incidents. The ISC meets quarterly and on an ad hoc basis, as necessary. In the event of a cybersecurity incident, our ISC is promptly convened and follows a standardized review and mitigation process and incident response plan, which includes escalation to our data protection committee, or DPC. Our DPC is composed of our SVP, IT, our COO, our senior vice president, finance and accounting, and senior members of our legal and IT teams and is responsible for assessing, among other factors, the actual or potential operational, business, financial, legal or reputational impact of a cybersecurity incident on the Company. The DPC is also responsible for notifying the audit committee of the board of directors in the event of a significant cybersecurity threat or incident.