Summit Therapeutics Inc. 10-K Cybersecurity GRC - 2025-02-24

Page last updated on February 24, 2025

Summit Therapeutics Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-02-24 06:53:28 EST.

Filings

10-K filed on 2025-02-24

Summit Therapeutics Inc. filed a 10-K at 2025-02-24 06:53:28 EST
Accession Number: 0001599298-25-000048

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity We have implemented a risk-based approach to identify and assess the cybersecurity threats that could affect our business and information systems. We use recognized commercially reasonable measures, tools and methodologies designed to manage cybersecurity risk that are tested on a regular cadence. We also monitor and evaluate our cybersecurity posture on an ongoing basis through regular vulnerability scans, penetration tests and third-party reviews. We rely on third-party service providers to provide the systems required to effectively run our clinical trials and endeavor to require third-party service providers that have access to personal, confidential or proprietary information to implement and maintain cybersecurity practices. Specific controls that are used in appropriate portions of our environment include endpoint threat detection and response, identity and access management, privileged access management, logging and monitoring involving the use of security information and event management, multi-factor authentication, firewalls and intrusion detection and prevention, and vulnerability and patch management. Our cybersecurity risk management processes are integrated into our enterprise risk management program. To manage our material risks from cybersecurity threats and to protect against, detect, and prepare to respond to cybersecurity incidents, we endeavor to: - Monitor emerging data protection laws and implement changes to our processes to comply; - Conduct annual cybersecurity management and incident training for employees that process sensitive data; - Conduct onboarding and cybersecurity training for all employees on an ongoing basis; - Conduct regular phishing email simulations for all employees; and - Carry cybersecurity risk insurance meant to provide protection against the potential losses arising from a cybersecurity incident. In addition, we engage several third-party consultants in connection with our risk assessment and risk management, and we have established separate processes and procedures to oversee and identify cybersecurity risks associated with third parties . All third parties involved in our cybersecurity risk assessments and risk management are required to provide reports designed to allow us to monitor and assess such third parties’ security controls. Our incident response plan coordinates the activities that we and our third-party cybersecurity provider take to respond and recover from cybersecurity incidents, which include processes to triage, assess severity, investigate, escalate, contain, and remediate an incident, as well as to comply with legal obligations and attempt to mitigate brand and reputational damage. We have business continuity plans that we periodically review and update in line with our evolving applications architecture. Our cybersecurity leadership team is responsible for assessing and managing cybersecurity risks and is made up of experienced professionals with an extensive background in information security, risk management, and incident response. This team is led by our Head of Information Technology . The Head of Information Technology is a senior technology strategist and thought leader with over two decades of experience in the bio pharma, life sciences, and high-tech sectors. Our Board of Directors provides oversight to our cybersecurity efforts to ensure effective governance in assessing and managing risks associated with cybersecurity threats. Our Head of Information Technology provides periodic updates to senior management and quarterly updates to the Board of Directors regarding our cybersecurity program, including information about cyber risk management governance, status updates on various projects intended to enhance the overall cybersecurity posture of the Company, and information about the prevention, detection, mitigation and remediation of any cybersecurity incidents, as appropriate. As of the date of this Annual Report on Form 10-K, we are not aware of any previous cybersecurity incidents that have materially affected or are reasonably likely to materially affect the Company. However, we acknowledge that cybersecurity threats are continually evolving, and the possibility of future cybersecurity incidents remains. Despite the implementation of our cybersecurity processes, our security measures cannot guarantee that a significant cyberattack will not occur. While we devote resources to security measures designed to protect our systems and information, these measures cannot provide absolute security. No security measure is infallible. A successful attack on our information technology systems or on the systems of our 62 third-party vendors could have material consequences on our business. We describe whether and how risks from cybersecurity threats have or are reasonably likely to affect our financial position, results of operations and cash flows, under the heading “Risks Related to Our Intellectual Property, Cybersecurity and Data Privacy” included as part of Part 1, Item 1A, Risk Factors of this Annual Report on Form 10-K, which disclosures are incorporated by reference herein.

Company Information