Aurinia Pharmaceuticals Inc. 10-K Cybersecurity GRC - 2025-02-27

Page last updated on February 27, 2025

Aurinia Pharmaceuticals Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-02-27 06:12:18 EST.

Filings

10-K filed on 2025-02-27

Aurinia Pharmaceuticals Inc. filed a 10-K at 2025-02-27 06:12:18 EST
Accession Number: 0001600620-25-000011

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity Risk Management and Strategy We maintain a cybersecurity risk management program as part of the Company’s overall risk management framework and related policies and processes to identify, assess and manage material risks from cybersecurity threats. Our Information Security Policy is designed to align with certain best practices, including GDPR. This policy promotes the management and execution of our information security framework for preserving the confidentiality, integrity, availability and 24 privacy of our information assets, including by helping enable us to better oversee, monitor and identify certain risks related to the processing of information by authorized third-party service providers. We also have an Information Technology (“IT”) Steering Committee to help ensure security and compliance across our IT services. We have in the past, and may in the future, engage third parties to assess the effectiveness of our cybersecurity prevention and response systems and processes. We implement a layered strategy for overseeing and identifying material risks from cybersecurity threats associated with our use of third party service providers, including: (i) the use of a suite of Microsoft tools (including Microsoft Defender); (ii) a cloud IT strategy that eliminates any central platform; (iii) engaging a cybersecurity firm that monitors our systems 24/7 and provides daily alerts and updates; (iv) regular cybersecurity training for all employees and contractors; and (v) policies and procedures that govern employee activities along with technical controls in place to enforce those policies and procedures. During 2024, we refreshed our business continuity program to assess the resilience of our processes and systems against potential threats, including cyber-attacks. Our refreshed crisis management and business continuity program establishes crisis management instructions with a detailed plan for each business department outlining critical processes, internal and external dependencies and recovery strategies. In addition, routine information security training and updates are regularly rolled out to our employees, and we track certain metrics that we believe help ensure we have a strong security posture. To date, cybersecurity threats, including those resulting from any previous cybersecurity incidents, have not materially affected our Company, including our business strategy, results of operations or financial condition. We do not believe that cybersecurity threats resulting from any previous cybersecurity incidents of which we are aware are reasonably likely to materially affect our Company. See “We rely significantly on information technology and any failure, inadequacy, or security lapse of that technology, including any cybersecurity incidents, could harm us” in the “Risk Factors” section of this Annual Report for further information. Governance One of the key functions of our Board is informed oversight of our risk management process. Our Board administers the risk oversight function directly through the Board, as well as through various standing committees of our Board that address risks inherent in their respective areas of oversight. The Board at least annually reviews management’s annual enterprise risk assessment, business continuity process and cybersecurity posture. Our Audit Committee is responsible for overseeing the management of risks associated with our financial reporting, accounting and auditing matters, as well as business-related risks (such as leadership, continuity, cybersecurity and matters relating to our commercial activities), reviewing as required our processes around the management and monitoring of such risks, as well as conducting a risk assessment review. Our Audit Committee charter sets forth the responsibilities of the Audit Committee consistent with applicable SEC and Nasdaq rules, including reviewing our approach to risk mitigation with respect to IT and cybersecurity. An information security update is provided quarterly, or as needed, to the Audit Committee, with a detailed review provided at least annually, or as needed. In addition, our Chief Information Officer (“CIO”) is responsible for leading the assessment and management of cybersecurity risks. Our CIO, who has held this position since 2021, has over 20 years of experience in information security and holds an MBA from The George B. Delaplaine School of Business and Economics. He was previously CIO at Autolus Therapeutics from 2018 to 2021, and CIO at Sucampo Pharmaceuticals from 2015 to 2018. Prior to that, he was a Director, IT at AstraZeneca from 2008 to 2015. Our CIO regularly receives reports from our Head of Enterprise Technology along with our cybersecurity partners on cybersecurity threats and incidents, as applicable.

Company Information