Immunovant, Inc. - (IMVT)

10-K Filing Date: May 29, 2024
Item 1C. Cybersecurity

Risk Management and Strategy

We have established certain processes designed to assess, identify and manage cybersecurity risks, which are built into our information technology functions and are designed to help protect our information assets and operations from internal and external cyber threats. Our cybersecurity risk management processes target integral areas such as data protection, access control, incident response and vulnerability management and are integrated into our overall enterprise risk management process. As part of our overall enterprise risk management process, our company’s information technology functions, including our Information Technology department leaders and third-party service providers, identify, assess and evaluate cybersecurity risks impacting our operations across the Company.

Depending on the information systems and environment, our cybersecurity program includes various administrative, physical, and technical safeguards designed to manage and mitigate material risks from cybersecurity threats, including, for example: an incident response plan, incident detection and response, risk assessments, encryption of data, network security controls, data segregation, access controls, physical security, systems monitoring, a vendor risk management program, penetration testing, cybersecurity insurance, dedicated cybersecurity staff, and asset management, tracking and disposal. Additionally, we provide all employees, including part-time and temporary employees, with annual and ad hoc cybersecurity awareness training.


99

s
Our information technology functions identify and assess risks from cybersecurity threats by monitoring and evaluating our threat environment using various methods, including internal and external audits, penetration and vulnerability tests, automated tools, subscriptions to reports and services that identify cybersecurity threats, analysis of reports of threats and actors, use of external intelligence feeds, evaluations of our and our industry’s risk profile, evaluation of threats reported to us, threat assessments for internal and external threats, scans of internal systems for threats, and incident response simulations (including third-party-conducted red/blue team testing and tabletop incident response exercises). We engage certain external service providers, including consultants, independent privacy assessors and computer security firms, as appropriate, to assess, test or otherwise assist with aspects of our security controls, including cybersecurity incident containment and remediation efforts, and enhance our cybersecurity oversight. We also use third-party service providers to assist us from time to time to identify, assess, and manage material risks from cybersecurity threats, including for example penetration testing firms, cybersecurity consultants, forensic investigators, cybersecurity software providers, managed cybersecurity service providers, and professional services firms (including legal counsel).

We use third-party service providers to perform a variety of functions throughout our business, such as application providers, hosting companies, contract research organizations, contract manufacturing organizations, distributors, and supply chain resources. With respect to our use and oversight of third-party service providers, we use a risk-based approach to apply our cybersecurity processes according to the nature and sensitivity of the data accessed, processed, or stored by such third-party service provider and perform additional risk screenings and procedures, as appropriate. We use a number of means to assess cyber risks related to our third-party service providers, including risk assessments for each vendor, vendor security questionnaires and due diligence in connection with onboarding new vendors, and ongoing reviews and due diligence with key or high-risk third-party vendors. We also seek to collect and assess cybersecurity audit reports and other supporting documentation when available and include appropriate security terms in our contracts where applicable as part of our oversight of third-party providers.

For additional information regarding cybersecurity risks and their potential impacts on our company, including our business strategy, results of operations, or financial condition, please refer to Item 1A. Risk Factors in this Annual Report, including the risk factor captioned “We are subject to stringent and changing privacy, data protection, and information security laws, contractual obligations, self-regulatory schemes, government regulation and standards related to data privacy and security. The actual or perceived failure by us, our CROs or vendors to comply with such obligations could result in harm to our reputation, regulatory investigations or actions, significant fines and liability, disruption of our clinical trials or other material adverse effects to our business.

Governance

The Audit Committee of our Board of Directors oversees our cybersecurity and data privacy risk management activities, and reports to the Board regarding such oversight as appropriate. The Audit Committee receives updates from management regarding cybersecurity matters not less than twice per year, and is notified between such updates regarding any significant new cybersecurity threats or incidents.

Our Vice President of Information Technology and Facilities and our Head of Cybersecurity lead the operational oversight of company-wide cybersecurity strategy, policy, standards and processes, and work across relevant departments to assess and help prepare us and our employees to address cybersecurity risks. The Vice President of Information Technology and Facilities has over 16 years of experience delivering systems across all functions of life science organizations, including support of infrastructure, security, software as a service (SaaS) systems and data integrations, along with ten years working with cybersecurity. The Head of Cybersecurity has approximately 15 years of cybersecurity expertise and has received Certified Information Security Manager (CISM) and Certified Information Systems Security Professional (CISSP) certifications.

In the event of a cybersecurity incident, we maintain a cybersecurity incident response plan designed to govern the actions required for responding to and reporting security incidents involving our information assets, including by escalating certain incidents to members of management, including the Vice President of Information Technology and Facilities and the Head of Cybersecurity. Pursuant to the plan and its escalation protocols, and depending on the nature, severity, and other circumstances of each potential cybersecurity incident, designated personnel may be responsible for assessing the severity of an incident and associated threat, containing the threat, remediating the threat, including recovery of data and access to systems, analyzing any reporting obligations associated with the incident, and performing post-incident analysis.
100

s