Alkermes plc. 10-K Cybersecurity GRC - 2025-02-12

Page last updated on February 12, 2025

Alkermes plc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-02-12 17:18:42 EST.

Filings

10-K filed on 2025-02-12

Alkermes plc. filed a 10-K at 2025-02-12 17:18:42 EST
Accession Number: 0000950170-25-019011

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cy bersecurity Risk Management and Strategy In the ordinary course of our business, we collect and store sensitive data, including IP, proprietary business information of ours and that of our suppliers and licensees, and personally identifiable information of persons who use our medicines, clinical trial participants and employees. Our licensees and third-party providers also possess certain of our sensitive data. The secure maintenance of such information and the secure performance of our information technology (“IT”) systems are critical to our operations and business strategy. As our dependency on, and the complexity of, our IT systems increases, the confidentiality, integrity and availability of our IT systems and the data that they store is critical to managing our business. Our Information Security Management System (“ISMS”) is a key element of our information security program, designed to identify, assess, help mitigate, and monitor IT risks across our organization, including information security risks. The ISMS is informed by the structured principles of International Standard- ISO/IEC27001:2022 (Information security, cybersecurity, and privacy protection), which outlines guidance for the establishment, implementation, maintenance, and improvement of information security management systems. Our ISMS is comprised of processes designed to identify cybersecurity risks, safeguard information assets and preserve the confidentiality, integrity , and availability of information owned, managed and maintained by us. Our ISMS includes formal written policies and procedures, technical security controls, such as automated tools designed to detect and prevent cybersecurity incidents, and programs designed to promote internal and third-party IT risk management, audit management, incident response and security awareness, including employee awareness trainings and other initiatives. Our ISMS includes periodic security audits, vulnerability assessments and penetration testing to proactively identify potential system vulnerabilities. Our ISMS is periodically assessed by third-party assessors and the results of such assessments, including any cybersecurity risks and related mitigations identified, are reported to the audit and risk committee of our board of directors, as described below, and are used by us to improve our ISMS and our broader information security program. As part of our information security program, we also have processes in place for management of cybersecurity risks associated with third-party handling of our confidential information, including in such third parties’ provision of critical services on our behalf. We conduct due diligence of our third-party vendors through an assessment of their security practices and overall risk profile, including through their completion of vendor assessment questionnaires and ongoing monitoring of such third parties, utilizing tools such as security ratings services and periodic reassessment questionnaires. As of the date of this Annual Report, we have not experienced any information security incidents that have materially affected, or are reasonably likely to materially affect, our business strategy, results of operations, or financial condition, and we have not identified any current cybersecurity threats that we believe are reasonably likely to materially affect our business strategy, results of operations, or financial condition. Governance and Oversight We have a multi-layered information security governance framework in place to provide oversight of our information security program and strategy, our ISMS, and related risks and opportunities. This governance framework includes procedures for escalation of identified information security risks, threats or incidents through various management levels, including up to our Information Security Governing Body, which is comprised of our Chief Executive Officer, Chief Information Officer, Chief Operating Officer, Chief Financial Officer, Chief Legal Officer and other members of management, and as appropriate, up to our board of directors. Our information security team is responsible for developing, implementing and overseeing our Company-wide information security strategy and related policies and practices. This team works cross-functionally throughout our organization to assess and prepare the Company for identification and mitigation of, and if necessary respond to, information security risks. The information security team is led by our Chief Information Officer , who has over 35 years of experience in various information technology roles, including 18 years at the Company serving in roles with increasing levels of responsibility. Our Vice President of Information Security and Technology, a Certified Information Systems Security Professional, with over 20 years of global experience in various information security roles, including 14 years of experience at the Company, is responsible for day-to-day management of information security team initiatives. The other members of the information security team have extensive IT, IT security and cloud industry experience, as well as certifications pertaining to information security and privacy (such as Certified Information Security Manager, Certified Information Privacy Technologist, GIAC Security Essentials and GIAC Information Security Professional certifications). 51 Our board of directors, as a whole and through its committees, has responsibility for the oversight of risk management. The audit and risk committee of our board of directors specifically oversees critical risks and opportunities facing the Company and, in this context, reviews and provides feedback on our company-wide enterprise risk management program, which encompasses risks related to IT and cybersecurity and mitigations put in place, or to be put in place, in response to such risks and opportunities. The audit and risk committee periodically reports to the full board of directors regarding its oversight of the Company’s enterprise risk management program and periodic risk assessment results. In addition, our board of directors receives periodic updates from our CIO and Vice President of Information Security on our ISMS and other information security initiatives, and on our information security governance framework.

Company Information