Tempus AI, Inc. 10-K Cybersecurity GRC - 2025-02-24

Page last updated on February 24, 2025

Tempus AI, Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-02-24 16:05:55 EST.

Filings

10-K filed on 2025-02-24

Tempus AI, Inc. filed a 10-K at 2025-02-24 16:05:55 EST
Accession Number: 0000950170-25-025603

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity . Risk Management and Strategy Our business depends on our continued ability to collect and safeguard vast amounts of personal and sensitive business information, including, among other types of data, protected health information (PHI), employee information, credit card information, insurance information, proprietary and confidential information about our business, financial information, trade secrets, intellectual property, and the sensitive and confidential information from the third parties with whom we work. We have implemented and maintain various information security processes designed to identify, assess, and manage material risks from cybersecurity threats to our critical computer networks, third party hosted services, communications systems, and hardware and software, to safeguard and prevent unauthorized access to this critical data (collectively Information Systems and Data). Our Chief Technology Officer, or CTO, and our Chief Information Security Officer, or CISO, together with our Enterprise Risk Management Committee help identify, assess, and manage the Company’s cybersecurity threats and risks. Working with a cross-functional team, these individuals and our Enterprise Risk Management Committee identify and assess risks from cybersecurity threats by monitoring and evaluating our threat environment using various methods including, for example, manual and automated tools, subscribing to reports and services that identify cybersecurity threats, analyzing reports of threats and actors, conducting scans of the threat environment, evaluating our and our industry’s risk profile, evaluating threats reported to us, conducting internal and/or external audits, conducting vulnerability assessments to identify vulnerabilities, using external intelligence feeds, and third-party-conducted red/blue team testing and tabletop incident response exercises. Our Information Security program has six broad components: Controls & Compliance; Security Operations; Cloud Security; Identity and Access Management; Application Security; and Data Governance. Within each program component, and depending on the environment, we implement and maintain various technical, physical, and organizational measures, processes, standards, and policies to manage and mitigate material risks from cybersecurity threats to our Information Systems and Data, including, for example: maintaining a vulnerability management policy and disaster recovery/business continuity plans, risk assessments, encryption of data, network security controls, data segregation, access controls, physical security, asset management, tracking and disposal, a vendor risk management program, a dedicated cybersecurity staff/officer, active monitoring, detection, prevention, mitigation, and remediation strategies to ensure we are adequately safeguarding and protecting our critical information, routinely conducting audits, vulnerability scans, penetration tests, social engineering simulations, security awareness training, and threat intelligence assessments to ensure that our systems, policies, and procedures are operating as intended. We also engage with a range of external experts to help us evaluate and attest to 114 our risk management systems, including maintaining a certification pursuant to ISO 27001 and conducting periodic third-party audits to maintain our certification. In addition, we maintain a detailed Incident Response Plan to assist in responding to potential cybersecurity threats. Our Incident Response Plan addresses critical aspects of incident management, including detection, impact analysis, containment, mitigation, remediation, recovery, and long-term strategies to prevent future incidents. Our Information Security and Privacy Teams conduct tabletop exercises twice per year to ensure preparedness for information security, including cybersecurity incidents. In addition, we promote a company culture of awareness and discipline in cybersecurity matters through annual employee training and education, including periodic phishing and social engineering simulations. We also maintain cybersecurity insurance coverage. Our Privacy program is designed to support and enhance our Cybersecurity program. We perform an annual HIPAA Security Risk Assessment, among other things, to help identify remediation priorities and to ensure we have implemented best practices in storing and safeguarding PHI. Our assessment and management of material risks from cybersecurity threats are integrated into the Company’s overall risk management processes. For example, (1) cybersecurity risk is addressed as a component of the Company’s enterprise risk management program; (2) the information security department works with management to prioritize our risk management processes and mitigate cybersecurity threats that are more likely to lead to a material impact to our business; (3) our Enterprise Risk Management Committee evaluates material risks from cybersecurity threats against our overall business objectives and reports to the board of directors, which evaluates our overall enterprise risk. We frequently collaborate with other third-party service providers to conduct regular audits, threat assessments, and consultation on cybersecurity strategy, enhancements, and best practices. We use third-party service providers to assist us from time to time to identify, assess, and manage material risks from cybersecurity threats, including for example, professional services firms, including legal counsel, cybersecurity software providers, and penetration testing firms. We use third-party service providers to perform a variety of functions throughout our business, such as application providers and cloud infrastructure providers. We have a vendor management program to manage cybersecurity risks associated with our use of these providers. The program includes security questionnaires, review of the vendor’s written security program, review of security assessments, and security assessment calls with the vendor’s security personnel. Depending on the nature of the services provided, the sensitivity of the Information Systems and Data at issue, and the identity of the provider, our vendor management process may involve different levels of assessment designed to help identify cybersecurity risks associated with a provider and impose contractual obligations related to cybersecurity on the provider. For more information regarding the risks we face from cybersecurity threats, please see “Item 1A. Risk Factors” included elsewhere in this Annual Report on Form 10-K, including “Cyber-based attacks, security breaches, loss of data and other disruptions in relation to our information systems and computer networks could compromise sensitive information related to our business, prevent us from accessing it and expose us to substantial liability, which could adversely affect our business and reputation.” Governance Our Board of Directors addresses the Company’s cybersecurity risk management as part of its general oversight function. The Board of Directors’ Audit Committee is responsible for overseeing Company’s cybersecurity risk management processes, including oversight and mitigation of risks from cybersecurity threats. Our cybersecurity risk assessment and management processes as well as our Information Security program are implemented and maintained by certain Company management, including our CTO and our CISO, who have 25 years of experience in cybersecurity and IT Operations respectively. Our CTO and CISO collaborate with a cross-functional team of seasoned professionals responsible for maintaining, improving, and promoting our Information Security program. In addition to the oversight by our Technology and Security leaders, representatives from our Information Technology, Legal, Privacy, Finance, Regulatory, Quality, and Compliance teams are integral to the successful implementation of our overall Information Security program. The CISO is responsible for hiring appropriate personnel, helping to integrate cybersecurity risk considerations into the Company’s overall risk management strategy, and communicating key priorities to relevant personnel. The CISO and CTO are responsible for approving budgets, helping prepare for cybersecurity incidents, approving cybersecurity processes, and reviewing security assessments and other security-related reports. 115 Our Incident Response Plan is designed to escalate certain cybersecurity incidents to members of management depending on the circumstances. This team works with the Company’s incident response team to help the Company mitigate and remediate cybersecurity incidents of which they are notified. In addition, the Company’s Incident Response Plan includes reporting to the Audit Committee of the board of directors for certain cybersecurity incidents. Our CISO reports to the full Board of Directors quarterly, or more frequently as needed. These reports generally address each of the six components of our Information Security program, including the Company’s progress on initiatives we have prioritized for the quarter. Our Audit Committee has general oversight responsibility for our data security practices, and we believe the Committee has the requisite skills and visibility into the risk profile of our Company to fulfill this responsibility effectively. Our CTO, CISO, or other members of our Enterprise Risk Management Committee report to the Audit Committee quarterly or on an as-needed basis. Senior members of our management are responsible for assisting our CTO and CISO in managing cybersecurity risk. We maintain a cross-functional Enterprise Risk Management Committee, which meets monthly to identify, assess, mitigate, and remediate risks impacting the Company, including cybersecurity risks. Members of this committee include our CISO, CTO, Chief Financial Officer, Chief Privacy Officer, General Counsel, Chief Commercial Officer, Chief Scientific Officer, Chief Medical Officer, Chief Legal Officer, and the heads of our Regulatory and Quality teams. The Enterprise Risk Management Committee informs members of the Audit Committee regarding the overall enterprise risks identified by management, progress on remediation efforts identified in the prior quarter, and risk mitigation priorities for the forthcoming quarter.

Company Information