Avid Bioservices, Inc. - (CDMO)

10-K Filing Date: July 02, 2024
ITEM 1C.cybersecurity

 

Risk Management and Strategy

 

We have implemented comprehensive information security processes to identify, assess, and manage material risks from cybersecurity threats to our critical computer networks, third-party hosted services, communications systems, hardware, software, and critical data, including intellectual property and confidential information (“Information Systems and Data”). Our Information Technology (“IT”) team plays a key role in identifying, assessing, and managing cybersecurity threats to our Information Systems and Data, including potential system disruptions, shutdowns, or unauthorized disclosures due to cyber-attacks.

 

The IT team identifies and assesses cybersecurity threats and risks by monitoring and evaluating the Company’s threat environment and risk profile using various methods including, for example: analyzing reports of threats, evaluating threats reported to us, coordinating with law enforcement concerning threats, internal and external security audits, vulnerability scanning, manual and automated detection tools, and continuous network monitoring. We have implemented a range of technical, physical, and organizational controls designed to manage and mitigate material risks from cybersecurity threats to our Information Systems and Data, such as incident detection and response policies, vulnerability management policies, disaster recovery plans, antivirus programs, authentication protocols, encryption of certain data, data segregation, asset management, tracking, and disposal, network security measures, access controls, and change management processes. We also maintain an insurance policy covering network security liability, incident response, business interruption, cyber extortion, social engineering, and computer fraud.

 

Our approach to managing cybersecurity risks is integrated into our overall risk management strategy. The IT team conducts risk assessments as needed and mandates periodic cybersecurity training for all employees. Additionally, we engage third-party service providers, including legal counsel, threat intelligence experts, cybersecurity services providers, and cybersecurity consultants, to enhance our risk management efforts.

 

We use third-party service providers to perform a variety of functions throughout our business, such as software-as-a-service (SaaS) providers and web hosting companies. We employ a vendor management program to oversee the cybersecurity practices of our third-party service providers. This includes periodic user access reviews and evaluations of System and Organization Control (“SOC”) 1 reports from certain of our SaaS vendors, focusing on their data protection measures. Depending on the sensitivity of the data and the nature of the services provided, our vendor management process involves varying levels of risk assessment and contractual cybersecurity obligations.

 

For a description of the risks from cybersecurity threats that may materially affect the Company and how they may do so, see our risk factors under Part 1. Item 1A. Risk Factors in this Annual Report on Form 10-K, including “If our information technology systems, or those of the third parties with whom we work, or our data are or were compromised, we could experience adverse consequences resulting from such compromise, including but not limited to regulatory investigations or actions; litigation; fines and penalties; disruptions of our business operations; reputational harm; loss or revenue or profits; and other adverse consequences that could have a material adverse effect on our business, financial condition, results of operations and cash flows.”

 

Governance

 

Our board of directors (the “Board”) oversees our cybersecurity risk management as part of its general oversight responsibilities and specifically monitors our cybersecurity risk management processes and mitigation strategies.

 

 

 

 25 

 

 

Our Vice President of IT, who has more than 25 years of experience in the IT industry, periodically briefs the Board and our audit committee on cybersecurity matters and is responsible for integrating cybersecurity risk considerations into our overall risk management strategy. Our Vice President of IT is also responsible for approving budgets, helping prepare for cybersecurity incidents, approving cybersecurity processes, and reviewing security assessments and other security-related reports.

 

Our cybersecurity incident response and vulnerability management processes are designed to escalate significant cybersecurity incidents to senior management depending on the circumstances, including the chief executive officer and chief financial officer, who collaborate with the incident response team to mitigate and remediate such incidents. In the event of a significant cybersecurity incident the Board is also informed as part of our incident response plan.

 

© 2024 Material-Incidents. All rights reserved.