MADRIGAL PHARMACEUTICALS, INC. 10-K Cybersecurity GRC - 2025-02-26

Page last updated on February 26, 2025

MADRIGAL PHARMACEUTICALS, INC. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-02-26 09:09:31 EST.

Filings

10-K filed on 2025-02-26

MADRIGAL PHARMACEUTICALS, INC. filed a 10-K at 2025-02-26 09:09:31 EST
Accession Number: 0001628280-25-007980

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity We are increasingly dependent on sophisticated software applications and computing infrastructure to conduct key operations. We depend on our own systems, networks, and technology as well as the systems, networks and technology of our contractors, consultants, vendors and other business partners. Cybersecurity Program Given the importance of cybersecurity to our business, we maintain a cybersecurity program to support the effectiveness of our systems and our preparedness for information security risks. This program includes a number of administrative, physical, and technical safeguards. We have conducted and continue to conduct evaluations of our cybersecurity program through periodic external audits and penetration tests. We also require cybersecurity trainings when onboarding new employees, contractors and other workforce members, as well as annual cybersecurity awareness training for our employees, contractors and other workforce members. Our program is based on industry frameworks, including the National Institute of Standards and Technology (“NIST”) Cybersecurity Framework (“CSF”) to strengthen our program effectiveness and reduce cybersecurity risks. We use a risk-based approach with respect to our use and oversight of third-party service providers, tailoring processes according to the nature and sensitivity of the data accessed, processed, or stored by such third-party service provider and performing additional risk screenings and procedures, as appropriate. We use a number of means to assess cyber risks related to our third-party service providers, including collecting vendor questionnaires and conducting due diligence in connection with onboarding new vendors. We also collect and assess cybersecurity audit reports and other supporting documentation when available and include appropriate security terms in our contracts where applicable as part of our oversight of third-party providers. Process for Assessing, Identifying and Managing Material Risks from Cybersecurity Threats In the event of a cybersecurity incident, we maintain an incident response program. Pursuant to the program and its escalation protocols, designated personnel are responsible for assessing the severity of an incident and associated threat; containing the threat; remediating the threat, including recovery of data and access to systems; analyzing any reporting obligations associated with the incident and performing post-incident analysis. We have relationships with a number of third-party service providers to assist with cybersecurity monitoring, containment and remediation efforts. Governance Management Oversight Our controls and processes employed to assess, identify and manage material risks from cybersecurity threats are implemented and overseen by our Information Technology (“IT”) Security and Risk Committee, which consists of our Chief Information Officer (“CIO”) and internal and third-party cybersecurity professionals. Our CIO has more than 25 years of experience as an IT professional overseeing and supporting IT operations in the biopharmaceutical industry, including several years of experience in cybersecurity . The members of the IT Security and Risk Committee also have expertise in cybersecurity. The IT Security and Risk Committee is responsible for the day-to-day management of our cybersecurity program, including the prevention, detection, investigation, response to, and recovery from cybersecurity threats and incidents, and is regularly engaged to help ensure that the cybersecurity program functions effectively in the face of evolving cybersecurity threats. Our CIO provides regular briefings to our senior management team on cybersecurity matters, including threats, events and program enhancements. Board Oversight While our board of directors has overall responsibility for risk oversight, our Audit Committee oversees cybersecurity risk matters. The Audit Committee is responsible for reviewing, discussing with management and overseeing our data privacy, information technology and security and cybersecurity risk exposures, including: (i) the potential impact of those exposures on the Company’s business, financial results, operations and reputation; (ii) the programs and steps implemented by management to monitor and mitigate any exposures; (iii) our information governance and cybersecurity policies and programs and (iv) major legislative and regulatory developments that could materially impact our data privacy and cybersecurity risk exposure. On a quarterly basis, our General Counsel, Chief Financial Officer (“CFO”) and CIO report to the Audit Committee on information technology and cybersecurity matters, including, as appropriate, key risks, a detailed threat assessment relating to information technology risks, as applicable, the potential impact of those exposures on our business, financial results, operations and reputation, the programs and steps implemented by management to monitor and mitigate exposures and any major legal developments that could significantly impact our cybersecurity risk exposure. Cybersecurity Risks Our cybersecurity risk management processes are integrated into our overall Enterprise Risk Management (“ERM”) process. As part of our ERM process, department leaders identify, assess and evaluate risks impacting our operations across our organization, including those risks related to cybersecurity. While we believe we maintain an effective cybersecurity program, the techniques used to infiltrate IT systems continue to evolve. Accordingly, we may not be able to timely detect threats or anticipate and implement adequate security measures. We also maintain cybersecurity insurance providing coverage for certain costs related to cybersecurity-related incidents that impact our systems, networks and technology. To date, there have not been any risks from cybersecurity threats, including as a result of any cybersecurity incidents, which have materially affected or are reasonably likely to materially affect our company, including our business strategy, results of operations or financial condition. See the section titled “Risk Factors-General Risk Factors-A failure of our information technology infrastructure and cybersecurity threats may adversely affect our business and operations.” in this Annual Rep ort for more information.

Company Information