Twist Bioscience Corp 10-K Cybersecurity GRC - 2024-11-18

Page last updated on November 18, 2024

Twist Bioscience Corp reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-11-18 16:10:02 EST.

Filings

10-K filed on 2024-11-18

Twist Bioscience Corp filed a 10-K at 2024-11-18 16:10:02 EST
Accession Number: 0001628280-24-048262

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity Cybersecurity Risk Management and Strategy Processes Used to Assess, Identify, and Manage Material Risks from Cybersecurity Threats Risk Assessment and Management We have implemented and maintain various information security processes designed to identify, assess and manage material risks from cybersecurity threats to our critical computer networks, third-party hosted services, communications systems, hardware and software, and our critical data, including, among other things, intellectual property, trade secrets, confidential information that is proprietary, strategic or competitive in nature, and personal data. Our Chief Information Officer (“CIO”) together with our Senior Director of IT Infrastructure, Security and Compliance and other members of the Information and Business Technology (“IBT”) Security team, are responsible for establishing and implementing cybersecurity policies and procedures, which includes developing and updating our Security Incident Response Policy (“IRP”), managing incident response, and overseeing any policy exceptions and potential compensating controls. Our cybersecurity program is based on the International Organization for Standardization (“ISO”) 27001 security controls. We maintain an ISO 27001:2022 certification and we undergo routine audits by an independent, certified accreditation body to maintain this certification. We also provide annual, mandatory cybersecurity training for employees to equip our workforce with the knowledge to identify and respond to cybersecurity threats, such as phishing attempts. Our process for assessing, identifying, and managing material risks from cybersecurity threats is integrated into our overall enterprise risk management process. As part of our overall enterprise risk management process, we have a cybersecurity risk management strategy based on National Institute of Standards and Technology (NIST) Special Publication. 800-30 “Guide for Conducting Risk Assessments” that provide guidelines and principles for information technology security risk management. Incident Response We have a dedicated Information Security team within the IBT team responsible for managing and coordinating incident response efforts. This team collaborates closely with other teams within the company, including Legal and Finance, in identifying, analyzing, and responding to cybersecurity incidents, which includes tracking cybersecurity incidents to help identify any related incidents. When cybersecurity incidents are identified, our practice is to respond to and address them utilizing incident classifications and escalation protocols, in accordance with applicable governmental regulations and other legal requirements. We have an IRP to prepare for and respond to cybersecurity incidents. The process is tested in annual tabletop exercises to help identify strengths and areas for improvement. Engagement of Third Party Advisors We engage third party advisors, including assessors, cybersecurity consultants, and auditors to assess, validate, and enhance our cybersecurity program. We benefit from engaging third parties to provide specialized skills, knowledge, tools, and resources. These third parties also help reduce costs, increase efficiency, improve quality, mitigate risks, and review cybersecurity strategy, trends, and threat landscape. We refine and mature our cybersecurity roadmap and strategy based on findings and their risk standing. Third-Party Service Provider Risk Management We have a process in place to oversee and identify risks from cybersecurity threats associated with our use of key third-party service providers during the course of engagement. The company maintains a formal risk management program to identify, assess, monitor and mitigate risks associated with third-party relationships, including cybersecurity risks. Our vendor security assessment process evaluates key vendors and, where appropriate, assesses vendor’s controls for IT security, privacy, business continuity, and other third-party risks. Following an evaluation, the company determines and prioritizes risks based on their potential impact, which help inform the appropriate level of additional due diligence and ongoing compliance monitoring. Material Risks from Cybersecurity Threats We have not identified risks from known cybersecurity threats, including as a result of any previous cybersecurity incidents, that have materially affected us, including our business strategy, results of operations or financial condition, but we face certain ongoing cybersecurity risks threats that, if realized, are reasonably likely to materially affect us. For additional information regarding these risks, please refer to Item 1A, “Risk Factors,” “If we, or our partners or suppliers, experience a significant disruption in, or breach in security of, information technology systems, or fail to implement new systems and software successfully, our business could be adversely affected. Cyberattacks and security vulnerabilities could lead to reduced revenue, increased costs, liability claims, or harm to our reputation or competitive position” in this Annual Report on Form 10-K. Cybersecurity Governance Board Oversight of Risks from Cybersecurity Threats The Board oversees management’s processes for identifying and mitigating risks, including cybersecurity risks, to help align our risk exposure with our strategic objectives. Our CIO regularly briefs the Board on cybersecurity matters. We have procedures led by our CIO which govern our assessment, response and notification of internal and external parties upon the occurrence of a cybersecurity incident. Depending on the nature and severity of an incident, this process provides for escalating notification to our executive team, to evaluate the overall impact and appropriate or required external notifications. Based on its nature and severity, the Board would be informed of an incident by our executive team. Management’s Role in Assessing and Managing Materials Risks from Cybersecurity Threats Under the IRP, cybersecurity incidents are escalated based on a defined incident severity to management as appropriate. Management, including the CIO, is involved in assessing and managing our cybersecurity risks. Our CIO has 13 years of experience managing information technology in complex environments. As noted above, the company’s IRP includes standard processes for escalating significant cybersecurity incidents to management, including the CIO, who then informs the Board based on the nature and severity of the incident. The company’s incident response team also coordinates with external legal advisors, cybersecurity forensic firms, communication specialists, and other outside advisors and experts, as appropriate.

Company Information