Arcus Biosciences, Inc. 10-K Cybersecurity GRC - 2025-02-25

Page last updated on February 25, 2025

Arcus Biosciences, Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-02-25 16:09:12 EST.

Filings

10-K filed on 2025-02-25

Arcus Biosciences, Inc. filed a 10-K at 2025-02-25 16:09:12 EST
Accession Number: 0001724521-25-000040

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity Risk management and strategy We have implemented and maintain a cybersecurity program that includes various processes designed to identify, assess and manage material risks from cybersecurity threats to our critical computer networks, third-party hosted services, communications systems, hardware and software (collectively, “Information Systems”), and our critical data, including clinical trial and candidate data, intellectual property, and confidential information that is proprietary, strategic or competitive in nature (collectively with Information Systems, “Information Systems and Data”). Our program is designed and assessed using the National Institute of Standards and Technology Cybersecurity Framework (“NIST CSF”), which guides our approach to identifying, assessing, and managing material cybersecurity risks relevant to our business. While we use this framework to inform our cybersecurity practices, this does not imply compliance with any particular technical standards, specifications, or requirements. Under this framework, our information security function, led by our Chief Information Officer, helps to identify, assess and manage the Company’s cybersecurity threats and risks. This function helps to identify and assess risks from cybersecurity threats by monitoring and evaluating our threat environment using various methods including, for example deploying automated tools in certain environments, subscribing to and analyzing reports and services that identify certain cybersecurity threats, conducting scans of certain aspects of the Company’s threat environment, evaluating certain threats that are reported to us, conducting internal and external audits and internal threat assessment of certain environments, engaging third parties to conduct threat assessments, and conducting vulnerability assessments. We have engaged third-party providers to periodically assess certain of our internal controls and procedures for information security. We have also taken certain measures to mitigate cybersecurity risks, including, for example, cybersecurity awareness training for employees and management, periodic testing through simulated “phishing” campaigns (and require remedial training based on results) and the adoption of an incident response plan, vulnerability management policy and business recovery plan. Furthermore, our information security function works with a security committee (the “Security Committee”) to prioritize our risk management processes, mitigate cybersecurity threats that are more likely to lead to a material impact to our business and evaluate material risks from cybersecurity threats against our overall business objectives. We use third-party service providers to perform a variety of functions throughout our business, such as CROs and contract manufacturing organizations (“CMOs”). Under our information security function, we perform risk and security assessments for certain of our vendors that involves a review of the vendor’s written security program. Depending on the nature of the services provided, and the sensitivity of the Information Systems and Data at issue, and the identity or experience of the provider, our vendor management process may involve different levels of assessment designed to help identify cybersecurity risks associated with a provider and we may impose contractual obligations related to cybersecurity on the vendor. We have not identified risks from known cybersecurity threats, including as a result of any prior cybersecurity incidents, that have materially affected us, including our operations, business strategy, results of operations, or financial condition. We face risks from cybersecurity threats that, if realized, are reasonably likely to materially affect us, including our operations, business strategy, results of operations, or financial condition. For a description of the risks from cybersecurity threats that may materially affect the Company and how they may do so, please see “Risk Factors - Our internal information technology systems, and those of our third-party CROs and other third parties upon which we rely, are subject to failure, security breaches and other disruptions, which could result in a material disruption of our investigational products’ development programs, jeopardize sensitive information, prevent us from accessing critical information or result in a loss of our assets, and potentially expose us to notification obligations, loss, liability or reputational damage and otherwise adversely affect our business.” in Part I, Item 1A herein. Governance Our board of directors considers cybersecurity risk management as part of its general oversight function. The board of directors’ audit committee is responsible for overseeing our cybersecurity risk management processes, including oversight and mitigation of risks from cybersecurity threats. Our Security Committee is comprised of key management stakeholders and experts and is chaired by our Chief Information Officer , who has over 20 years of strategic and operational IT/cybersecurity leadership experience and multiple cybersecurity certifications, from leading security organizations such as (ISC)2, Cloud Security Alliance, Cisco Security, Microsoft Security. The Security Committee is responsible for helping to integrate cybersecurity risk considerations into our overall risk management strategy and communicating key priorities to relevant personnel, helping prepare for cybersecurity incidents, approving cybersecurity processes, and reviewing security assessments and other security-related reports. The audit committee receives periodic reports from our Chief Information Officer concerning significant cybersecurity threats and risk and the processes we have implemented to address them. Under our incident response plan, certain incidents would also be reported to the board. Our management team takes steps to stay informed about and monitor efforts to prevent, detect, mitigate, and remediate cybersecurity risks and incidents through various means, which may include: briefings from internal personnel; threat intelligence and other information obtained from public or private sources, including external consultants engaged by us; and alerts and reports produced by security tools deployed in our IT environment.

Company Information