EXACT SCIENCES CORP 10-K Cybersecurity GRC - 2025-02-19

Page last updated on February 19, 2025

EXACT SCIENCES CORP reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-02-19 17:11:06 EST.

Filings

10-K filed on 2025-02-19

EXACT SCIENCES CORP filed a 10-K at 2025-02-19 17:11:06 EST
Accession Number: 0001124140-25-000020

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity Governance Our Board of Directors administers its cybersecurity risk oversight function directly through our Audit and Finance Committee (“AFC”). Our AFC has primary responsibility for overseeing our risk management practices, programs, and policies related to data privacy, data protection, and cybersecurity. The AFC reviews and evaluates the processes utilized by management to identify and assess the material internal and external risks that may affect our business. Our AFC regularly discusses the our major risk exposures with management, legal counsel, and the internal audit department. This includes potential financial impact on the Company and the steps taken to monitor and control those risks. Annual reviews with management include a summary of legal and regulatory compliance matters, risk management activities, and including a review of our cybersecurity program. Additionally, our AFC oversees the process by which our Board of Directors is informed regarding the risks facing the Company and coordinates with our legal counsel to ensure our Board of Directors receives regular risk assessment updates from management. The Chief Information Security Officer (“CISO”) is responsible for identifying, assessing, and managing our risks from cybersecurity threats. The CISO has been with the Company for three years, bringing more than 30 years of technology experience, including 15 years in cybersecurity, and has held the CISO position at other companies before joining Exact Sciences. The CISO leads the cybersecurity team consisting of experts in strategy, governance, risk management, compliance, engineering and development, security operations, and incident management. Our Artificial Intelligence Council, which includes the CISO, oversees adherence to AI ethical principles and regulatory requirements in the development and utilization of AI systems, including generative AI tools. AI governance is integrated within the broader governance framework discussed above. The CISO provides our AFC with periodic updates about our cybersecurity program and material risks. This includes updates on cybersecurity practices and projects designed to strengthen internal cybersecurity and data protection. Risk Management and Strategy Processes for identifying and assessing cybersecurity risks The CISO, with the support of the cybersecurity team and the owners of information technology across the business, monitors current events and trends related to cybersecurity and assesses impact on current systems and operations. There are several processes in place to monitor and review our systems, including third-party solutions, to identify potential risks . Third-party service providers are required to notify us in the event of a cybersecurity incident within their systems, and annual reviews are conducted on the Company’s critical third-party vendors. Cybersecurity risks, threats, and incidents, including those from third-party service providers, are tracked and regularly provided to the CISO. The Cybersecurity Leadership Team, which includes the CISO and executives from all business functions across the organization, meets at least quarterly to review and discuss cybersecurity risks facing the Company. Processes for managing cybersecurity risks The cybersecurity team tracks risks and incidents related to cybersecurity until the risk is mitigated to an acceptable level or fully remediated. When risks are identified, the cybersecurity team oversees mitigation plans with the risk owner. The plans communicated to necessary teams and remediation steps are taken. Processes for incorporating cybersecurity risks into the overall risk management process Our process for identifying, assessing, and managing risks related to cybersecurity is incorporated into our Enterprise Risk Management (“ERM”) process. The Risk Management team meets at least annually with cybersecurity leadership to discuss identified cybersecurity-related risks and the potential likelihood and severity of each risk. Through the ERM process, cybersecurity risks are presented to the executive leadership team, including the CEO and CFO, as well as reported to the AFC. Currently, we are not aware of any risks from cybersecurity threats or cybersecurity incidents that have materially affected or are reasonably likely to materially affect the Company.

Company Information