ENANTA PHARMACEUTICALS INC 10-K Cybersecurity GRC - 2024-11-27

Page last updated on November 27, 2024

ENANTA PHARMACEUTICALS INC reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-11-27 08:35:40 EST.

Filings

10-K filed on 2024-11-27

ENANTA PHARMACEUTICALS INC filed a 10-K at 2024-11-27 08:35:40 EST
Accession Number: 0000950170-24-131260

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBERSECURITY RISK MANAGEMENT AND STRATEGY We have continued to invest in an evolving state-of-the-art cybersecurity framework of tools, processes, training, and people designed to efficiently assess, identify, and remediate material risks that could affect business operations, financials, or public reputation. Our multi-layered approach to cybersecurity involves regular network monitoring, vulnerability scanning, advanced threat detection, and incident response capabilities against recognized cyber threats to our business and stakeholders, including ransomware, data breaches and insider threats. We regularly update our security measures, as necessary, to ensure we address all new threats and technologies, using the National Institute of Standards and Technology (“NIST”) Framework as a guide, when appropriate and relevant to our business. As further protections, we utilize encryption, access control mechanisms and secure cloud infrastructures, and we invest in extensive user training. All users regularly undergo updated cybersecurity awareness training in an ongoing effort to reduce the risk of human error contributing to any potential security incidents. All users are also subject to simulated phishing emails with real time feedback for a more continuous layer of training. We have retained a seasoned virtual Information Security Officer (“vISO”) to assist and guide our IT organization in maintaining and evolving a comprehensive and robust cyber security environment. Monthly meetings review all facets of our current status against appropriate NIST standards, review any incidents, and review the results of ongoing simulated phishing exercises to identify certain users who may need extended training. In addition, as part of our annual security review, we hire a third-party network penetration testing firm to provide simulated probing and subsequent reporting. We use the results of these annual tests to improve the strength and flexibility of our network’s security. Our Incident Response Plan (“IRP”) has evolved with our cyber environment and consists of a set of state-of-the-art-tools capable of monitoring, reporting and alerting, as well as regular reviews. The IRP also sets forth guidelines on how to triage, assess the severity and materiality of findings, and remediate and escalate findings to upper management in a timely manner, as necessary. In addition, as part of our overall risk mitigation strategy, we also maintain cyber insurance coverage. However, such insurance may not be sufficient to cover us against all possible claims related to security breaches, cyber-attacks and other related breaches. Our current environment contains no known risks from cybersecurity threats that could materially impact our business operations, financials, or public reputation. 56 Cybersecurity Governance and Oversight The Board of Directors has assigned the Audit Committee to be responsible for reviewing our cybersecurity risk management and strategy program and is presented, at least annually, with a review of our environment and reported incidents. Part of our IRP also calls for the elevation of any necessary incidents to upper management in a timely manner whenever they occur. We have also formed a steering committee, composed of IT staff and relevant business leaders responsible for the Company’s material information, including commercially sensitive data. The goals of this steering committee include overseeing our annual material risk assessment and documenting and reporting to senior management. The steering committee also reviews changes to procedural and other controls. We have also formed a risk register subcommittee to review and formally discuss any critical risks identified during our vISO annual assessment of our cyber environment.

Company Information