ARVINAS, INC. 10-K Cybersecurity GRC - 2025-02-11

Page last updated on February 11, 2025

ARVINAS, INC. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-02-11 17:16:45 EST.

Filings

10-K filed on 2025-02-11

ARVINAS, INC. filed a 10-K at 2025-02-11 17:16:45 EST
Accession Number: 0001655759-25-000016

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity. We have processes for assessing, identifying and managing cybersecurity risks, which are built into our information technology function and are designed to provide protection for our information assets and operations from internal and external cyber threats, including protecting employee and patient information from unauthorized access or attack, as well as secure our networks and systems. These processes include physical, procedural and technical safeguards, response plans, regular tests on our systems, incident simulations and routine reviews of our policies and procedures to identify risks and enhance our practices. As part of our overall risk mitigation strategy, we maintain cyber insurance coverage; however, such insurance may not be sufficient in type or amount to cover us against claims related to security breaches, cyber-attacks and other related breaches. We have engaged external parties, including consultants, computer security firms and risk management, and legal and governance experts, to enhance our cybersecurity oversight. We also employ processes to identify material risks from cybersecurity threats associated with our use of third-party service providers. 127 Based on an assessment using the previously described risk mitigation strategy, we do not believe there are currently any risks from known cybersecurity threats, including as a result of any prior cybersecurity incidents, that have materially affected or are reasonably likely to materially affect us, including our business strategy, results of operations, or financial condition. See " Our internal computer systems and those of our collaborators, contractors, consultants and other third parties are vulnerable to cyber attacks, cyber intrusions and security breaches, which could not only materially disrupt our business operations and result in the loss of confidential information, but could also damage the integrity of our clinical trials, impact our regulatory filings, compromise our ability to protect our intellectual property, and subject us to regulatory actions that could result in significant fines or other penalties" in Part I, Item 1A. “Risk Factors” for additional information. Our Audit Committee of our Board of Directors, or the Audit Committee , provides direct cybersecurity risk oversight, and provides regular updates to the Board of Directors regarding such oversight. The Audit Committee receives quarterly updates from management and the Cybersecurity Board, as discussed in further detail below, regarding cybersecurity matters, and is notified between such updates regarding significant new cybersecurity risks, threats or incidents. We also provide updates to the full Board of Directors regarding cybersecurity risks, threat landscape and risks, as appropriate. We have a cross-functional Cybersecurity Board led by our Senior Vice President, Information Technology Systems & Security serving as the chair and consisting of executive-level and non-executive level leaders, including among others, our Chief Financial Officer and General Counsel. This board is responsible for reviewing, engaging and making decisions related to the execution and continuous improvement of cybersecurity strategy, processes and governance impacting our information systems, employees, partners and patients. Our Senior Vice President, Information Technology Systems & Security leads the operational oversight of company-wide cybersecurity strategy, policy, standards and processes and works across relevant departments to assess and help prepare us and our employees to address cybersecurity risks. Our Senior Vice President, Information Technology Systems & Security is an experienced senior leader with more than 25 years of experience in information technology within the pharmaceutical industry leading a team of employees and consultants with a breadth of experience including security management experience along with CISSP certification. In an effort to deter and detect cyber threats, we periodically provide our workforce, including all employees and contingent staff, with a privacy, data protection, cybersecurity and incident response, and prevention education and awareness program, which includes annual and supplemental training covering a range of timely and relevant topics. Past topics have included social engineering, phishing, password protection, confidential data protection, asset use, and mobile security. This education and awareness program functions to educate employees on the importance of reporting all incidents immediately. In addition, we perform monthly phishing test campaigns to reinforce identification and reporting training. We automatically assign online reinforcement training upon initial phish test failure and may follow-up one-on-one as needed. We also use technology-based tools to mitigate cybersecurity risks and to bolster our employee-based cybersecurity programs. Lastly, we perform annual penetration tests conducted by independent, third-party cybersecurity firms and ongoing vulnerability assessments conducted by the internal security team .

Company Information