ARROWHEAD PHARMACEUTICALS, INC. 10-K Cybersecurity GRC - 2024-11-26

Page last updated on November 26, 2024

ARROWHEAD PHARMACEUTICALS, INC. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-11-26 16:18:02 EST.

Filings

10-K filed on 2024-11-26

ARROWHEAD PHARMACEUTICALS, INC. filed a 10-K at 2024-11-26 16:18:02 EST
Accession Number: 0001628280-24-049277

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBERSECURITY The Company maintains a cybersecurity program, with direct oversight from senior management and the Board of Directors (the “Board”), to manage information, data, and technology security. The cybersecurity program is informed in part by the National Institute of Standards and Technology Cybersecurity Framework (NIST CSF) and is designed to help identify, assess, and manage cybersecurity risks relevant to the Company’s business. The Company’s cybersecurity program has been developed in light of the nature of the Company’s business, resource availability, requirements from stakeholders, and industry trends. The Company has formed an internal cross-functional Technology Risk Management Committee comprised of representative leaders from various aspects of the Company’s business to broadly implement its cybersecurity program. The Company’s cybersecurity program prioritizes vulnerability management, risk reduction, detection, and prevention to help protect against material risks from cybersecurity threats to its information systems. The Company routinely conducts internal and third-party cybersecurity risk assessments and penetration tests and incorporates relevant findings and recommendations into its overall cybersecurity strategy, as appropriate. Through these assessments, the Company develops targeted strategies intended to address the most significant cybersecurity risks and conducts at least one annual cybersecurity incident tabletop exercise to refine response plans. 58 The Company’s cybersecurity program emphasizes defense, rapid detection, and remediation of cybersecurity threats and incidents, including the use of various security tools and systems based on defense-in-depth and zero-trust principles that are intended to meet control requirements. The cybersecurity program also encompasses crisis incident response guidelines that detail the processes for the detection, response, mitigation, and remediation of cybersecurity incidents, in order to support the effective management of, response to, communication during, and recovery from any such incidents. A key element of the Company’s strategy is fostering training and awareness through annual cybersecurity training and role-based phishing tests for employees and certain third parties having access to the Company’s information systems. The Company also utilizes a third-party cybersecurity operations monitoring center to help identify threats and incidents to the Company’s servers and computers. The Company’s cybersecurity preparedness program includes specific requirements and guidelines for the information security team relating to the Company’s computer emergency response preparedness, intrusion response preparedness, and incident response preparedness. When a potential cybersecurity threat or incident is identified, our processes require that the Senior Director of Information Security be promptly notified of the incident, who then is to conduct an initial investigation to determine the probability and potential of the threat or incident to have a material impact on key business systems and processes. If there is a reasonable possibility for a material impact to the Company’s business or information systems, the cybersecurity program requires that the Technology Risk Management Committee be promptly notified, which then assigns a risk level to the threat or incident. All threats and incidents identified as high-risk are promptly escalated to Company leadership and the legal department, who are tasked with activating and implementing a high-risk information security incident mitigation and response plan, which details the roles, responsibilities, and strategies to respond. Our cybersecurity program also requires that high-risk cybersecurity incidents or threats be reported to the Company’s Materiality Committee and the Audit Committee of the Board within 24 hours of their designation as high-risk by the Technology Risk Management Committee. Cybersecurity risks are incorporated into our overall risk management program. If a cybersecurity risk is identified as high-risk, a response and mitigation plan is developed, and progress updates on the plan are routinely reported to the Technology Risk Management Committee and tracked by the Audit Committee of the Board as part of our overall risk management process. The Company is not aware of any cybersecurity threats or incidents in the last fiscal year, including as a result of any prior cybersecurity incidents, that have had a material impact on our Company, including its business strategy, operations, or financial condition. However, we face certain ongoing cybersecurity risks and threats that, if realized, are reasonably likely to materially affect us. Additional information on cybersecurity risks we face is discussed in Part I, Item 1A “Risk Factors,” under the heading “Our business and operations could suffer in the event of a cybersecurity incident or other information technology system failures.” Execution of the Company’s cybersecurity program is delegated by the Board to the Senior Director of Information Security, who has nearly 25 years of relevant experience in information security, including 13 years at the Company, and is further supported by a team of security professionals within the Information Systems & Informatics department. The Senior Director of Information Security reports to the Vice President of Information Systems & Informatics, and they meet periodically with senior leadership and the Board to review metrics on cybersecurity preparedness, incidents, mitigations and remediation efforts. In addition, the Company’s internal audit team conducts periodic audits of its systems and cybersecurity processes, with findings reported to the Audit Committee and senior management. The Company has also established a management-level Technology Risk Committee, which includes leaders from finance, legal, operations, quality & compliance, and information systems & informatics, who are responsible for overseeing the execution of high-risk incident response and mitigation plans. This committee actively reviews technology strategies, physical and cybersecurity threat assessment, and emerging issues and related initiatives. It is also responsible for evaluating the materiality of information for SEC filings and, as required or as otherwise appropriate, coordinates with the Company’s Materiality Committee to support timely disclosure of relevant information.

Company Information