IONIS PHARMACEUTICALS INC 10-K Cybersecurity GRC - 2025-02-19

Page last updated on February 19, 2025

IONIS PHARMACEUTICALS INC reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-02-19 16:06:39 EST.

Filings

10-K filed on 2025-02-19

IONIS PHARMACEUTICALS INC filed a 10-K at 2025-02-19 16:06:39 EST
Accession Number: 0000874015-25-000089

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity Risk management and strategy We have implemented and maintain various information security processes designed to detect, respond to, recover, and protect our technology ecosystem from cybersecurity threats. These processes are designed to identify, assess, and manage material risks that may result from cybersecurity threats and apply to our critical technologies inclusive of networks, third party hosted services, communications systems, hardware, software, and critical data, including intellectual property and confidential information that is proprietary, strategic, or competitive in nature. Our Information Technology department, led by our Senior Vice President, Information Technology, helps to detect, respond to, and manage cybersecurity threats and risks by monitoring and evaluating our threat environment using various manual and automated tools in certain environments and systems and other methods including, for example: ● analyzing reports of certain threats and actors; ● conducting scans of the threat environment; ● evaluating our and our industry’s risk profile; ● evaluating certain threats reported to us; ● conducting internal and external audits; ● conducting threat assessments for certain internal and external threats; and ● conducting vulnerability assessments designed to identify vulnerabilities. Depending on the environment, system and data, we have implemented and maintain various technical, physical, and organizational measures, processes, standards, and policies designed to manage and mitigate material risks from cybersecurity threats to our critical technologies and data, including, for example: ● incident response plan; ● disaster recovery/business continuity plans; ● risk assessments; ● encryption of certain data; ● network security and access controls for certain systems; ● physical security; ● asset management, tracking and disposal; ● systems monitoring; and ● employee training. Our assessment and management of material risks from cybersecurity threats are integrated into the Company’s overall risk management processes . For example, cybersecurity risk is assessed as a component of our enterprise risk management program. In addition, we have developed a process whereby our senior management evaluates material risks from cybersecurity threats against our overall business objectives and reports certain cybersecurity incidents to the Audit Committee of the Board of Directors, which evaluates our overall enterprise risk. We use third-party providers to perform various functions throughout our business, such as application providers and hosting companies. We use third-party providers to assist us from time to time in an effort to identify, assess, and manage material risks from cybersecurity threats, including, for example, legal counsel, cybersecurity consultants, cybersecurity software providers, penetration testing firms, and forensic investigators. The Company maintains a risk-based approach and process designed to identify and oversee cybersecurity risks presented by third parties, including vendors, service providers and other external users of the Company’s systems, as well as the systems of third parties that could materially impact our business if there is a cybersecurity incident affecting those third-party systems. For an additional description of the risks from cybersecurity threats that may materially affect us and how they may do so, see our risk factors under Item 1A, Risk Factors , in this Annual Report on Form 10-K, including the risk factor titled " We are dependent on data as well as information technology systems and infrastructure, which exposes us to data protection risks ." Governance Our Board of Directors addresses our cybersecurity risk management as part of its general oversight function. The Audit Committee of the Board of Directors is responsible for overseeing our cybersecurity risk management processes, including oversight and mitigation of risks from cybersecurity threats. The Audit Committee also oversees our internal audit department and management’s internal controls over financial reporting, including with respect to cybersecurity. Our cybersecurity risk assessment and management processes are implemented and maintained by our Senior Vice President, Information Technology , who holds an undergraduate degree in Computer Engineering and has served in information technology and security roles dedicated to the pharmaceutical and biotechnology sector for approximately 18 years, including serving as the Chief Information Officer of two public biopharmaceutical companies. Our Senior Vice President, Information Technology is responsible for hiring appropriate personnel, helping to integrate cybersecurity risk considerations into our overall risk management strategy, communicating key priorities to relevant personnel, helping prepare for cybersecurity incidents, approving cybersecurity processes, and reviewing security assessments and other security-related reports. Our cybersecurity incident response plan is designed to escalate certain cybersecurity incidents, depending on the circumstances, to our senior management team and Audit Committee of the Board of Directors. The Audit Committee of the Board of Directors receives reports from our Senior Vice President, Information Technology concerning our significant cybersecurity threats and risks (including certain cybersecurity threats) and the processes we have implemented that are designed to address them.

Company Information