Nurix Therapeutics, Inc. 10-K Cybersecurity GRC - 2025-01-28

Page last updated on January 28, 2025

Nurix Therapeutics, Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-01-28 16:15:22 EST.

Filings

10-K filed on 2025-01-28

Nurix Therapeutics, Inc. filed a 10-K at 2025-01-28 16:15:22 EST
Accession Number: 0001549595-25-000016

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity We recognize the importance of maintaining the trust and confidence of our patients, our collaborators, our business partners, our investors, and our employees and understand how key it is to maintain their confidence in our ability to properly protect and manage our information technology systems, infrastructure and data as part of that trust and confidence. In order to achieve this, our management team and our Board of Directors are actively involved in the oversight of our cybersecurity program as part of our approach to risk management. Risk Management and Strategy We maintain processes for assessing, identifying, and managing cybersecurity risks . These processes are designed to protect our information assets and operations from both internal and external cyber threats, including protecting employee and patient information from unauthorized access or attack, and to secure our networks and systems. Our cybersecurity and data privacy programs are aligned to, among others, the U.S. National Institute of Standards and Technology (NIST) Cybersecurity Framework to assess, identify and manage material risks from cybersecurity threats. We employ a combination of physical, procedural, and technical safeguards, regular system tests, incident simulations, and routine policy and procedure reviews to identify risks and enhance our practices. We have a cybersecurity incident response plan (CIRP) that we review on at least an annual basis and update as business needs and the security landscapes change and as required. In the event of a cybersecurity incident, our incident response team refers to our CIRP and existing management internal controls and disclosure processes. Pursuant to this process, designated personnel are responsible for assessing the severity of the incident and any associated threats, containing and resolving the incident as quickly as possible, managing any damage to our systems and networks, minimizing the impact on our stakeholders, analyzing and executing upon internal reporting obligations, escalating information about the incident to senior management and the Board of Directors, as appropriate, and performing post-incident analysis and program enhancements, as needed. We perform tabletop exercises on at least an annual basis to test our incident response procedures, identify gaps and improvement opportunities and exercise team preparedness. We provide our employees and consultants with privacy, data protection, cybersecurity incident response, and prevention education and awareness training, which includes annual and supplemental training covering relevant topics, such as social engineering, phishing, password protection, confidential data protection, asset use, and mobile security, and educates employees on the importance of reporting all incidents immediately. In addition, we perform phishing test campaigns on at least a quarterly basis to reinforce identification and reporting training. We engage third parties to conduct risk assessments on our systems and other vulnerability analyses on a recurring basis and assist with containment and remediation efforts. In addition, third-party technology and analytics and penetration testing are utilized to identify potential vulnerabilities. To manage risks related to cybersecurity incidents that could impact our CROs, third-party vendors and other contractors and consultants, we maintain a third-party risk management program, which is designed to assess the security controls of our third parties. The assessment methodology is based on risk and relies on the data, access, connectivity, and criticality of the services that the third-party offers. Cybersecurity Governance Our cybersecurity and data privacy programs are implemented and overseen by our Chief Information Security Officer ( CISO ), our Senior Vice President (SVP) of Information Technology, and members of our executive management team. 107 Our SVP of Information Technology has over 20 years of information technology experience, with over 15 years of experience leading technology and cybersecurity programs in biopharmaceutical companies. Since joining Nurix in 2021, our SVP of Information Technology has led all information technology strategy and operations, including our cybersecurity program. Previously, he served as Chief Technology Advisor focused on cybersecurity incident response and strategic security consulting, and held senior IT leadership roles at multiple clinical-stage biotechnology companies. He holds industry cybersecurity certifications and is undertaking advanced studies in IT Management and Cybersecurity. Our CISO has over 20 years of experience in information security, including more than 15 years of experience leading large-scale cybersecurity and privacy programs across various industries. He currently leads all aspects of our enterprise cybersecurity strategy, risk governance, and privacy effort. He holds industry-recognized certifications, including CISSP. He earned his MBA with a focus on Finance and Strategy and a B.E. in Electronics and Communication. Our SVP of Information Technology and our CISO regularly provide cyber threat intelligence briefings to management on the status of the Company’s security measures and our efforts to identify and mitigate risks from cybersecurity threats. Our SVP of Information Technology and CISO also work closely with our Chief Financial Officer and Chief Legal Officer to further enhance incident response procedures and to assess and manage risks from cybersecurity threats. The Audit Committee of our Board of Directors (Audit Committee) oversees the Company’s overall enterprise risk assessment and risk management policies and guidelines, including risks related to cybersecurity matters. The Audit Committee provides periodic reports to the Board of Directors regarding its oversight of cybersecurity, information technology, data protection and related matters. Members of the Board of Directors also participate in table-top exercises involving simulated data security incidents and the Company’s responses to those incidents. The Audit Committee receives regular presentations and reports on cybersecurity risks, which address a wide range of topics including recent developments, evolving standards, vulnerability assessments, third-party and independent reviews, the threat environment, planned improvements to our cybersecurity program, and the status of information security initiatives. The Audit Committee also receives prompt and timely information regarding any cybersecurity incident that meets established reporting thresholds. Risk and Issues Disclosure As of November 30, 2024, and through the date of this filing, we are not aware of any material cybersecurity incidents that have impacted the Company, nor do we believe that there are currently any known risks from cybersecurity threats that are reasonably likely to materially affect us or our business strategy, results of operations or financial condition. However, we previously have been the target of cyber-attacks and expect them to continue as cybersecurity threats have been rapidly evolving in sophistication and becoming more prevalent in our industry. We face risks of incidents, whether through cyber-attacks or cyber intrusions through the Cloud, the Internet, phishing attempts, ransomware, and other forms of malware, computer viruses, email attachments, extortion, and other scams. Although we make efforts to maintain the security and integrity of our information technology systems, these systems and the proprietary, confidential, and personal information that resides on or is transmitted through them are subject to the risk of a cybersecurity incident or disruption, and there can be no assurance that our security efforts and measures, and those of our third-party vendors, will prevent breakdowns or incidents to our or our third-party vendors’ systems that could adversely affect our business. For additional information on cybersecurity risks we face, see Part I, Item 1A. Risk Factors of this Annual Report on Form 10-K under the heading “Risks Related to Employees, Managing our Growth and Other Legal Matters-We depend on our information technology systems, and any failure of these systems, or those of our CROs, third-party vendors, collaborators or other contractors or consultants we may utilize, could harm our business. Security breaches, cyber-attacks, loss of data and other disruptions could compromise sensitive information related to our business or other personal information, prevent us from accessing critical information and expose us to liability, which could adversely affect our business, reputation, results of operations, financial condition and prospects.”

Company Information