BeiGene, Ltd. 10-K Cybersecurity GRC - 2025-02-27

Page last updated on February 27, 2025

BeiGene, Ltd. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-02-27 06:12:34 EST.

Filings

10-K filed on 2025-02-27

BeiGene, Ltd. filed a 10-K at 2025-02-27 06:12:34 EST
Accession Number: 0001651308-25-000031

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity We recognize the importance of safeguarding the security of our computer systems, software, networks, and other technology assets. Our cybersecurity efforts are aimed at preserving the confidentiality, integrity, and continued availability of information under our ownership or care with the aim to continually improve security features in order to keep pace with the evolving cyber threat landscape. Overview of Cybersecurity Risk Management and Strategy Our cybersecurity risk identification, assessment and management process is a critical part of our overall enterprise risk management (“ERM”) system. Within our ERM system, we adhere to our Information Security Management Policy (“ISM Policy”) which is aimed at providing guidelines to monitor, review and continually improve our Information Security Management System (“ISMS”). Our ISMS is informed by ISO/IEC 27001:2022 standards and is operated based on an action model that identifies information security missions and objectives, including improvement measures to achieve continuous optimization. Our Cybersecurity Incident Response Plan (“CIRP”) is a critical component of our cybersecurity incident identification and management process, which, along with our incident response team, is designed to guide our response to potential cybersecurity incidents effectively and efficiently. Our ISM Policy, ISMS and CIRP are all internal processes we use to assess, identify and manage material risks from cybersecurity threats. We also utilize external partnerships to help protect the Company from cybersecurity threats. This combination of people, processes and technology assist us to proactively manage and mitigate threats to our information technology environment. We have controls in place to defend against risks associated with cyber-attacks impacting our operations, compliance and financial reporting objectives. We are externally audited and certified under the ISO 27001 and assessed yearly according to National Institute of Standards and Technology (“NIST”) guidelines. Our external partners also evaluate our cybersecurity maturity and coverage as part of their services and keep us informed of emerging global threats. We conduct a Testing, Training & Exercise program to test, sustain and refine our ability to respond to cybersecurity incidents in accordance with the best practices. We also maintain an information security training program for our employees. Our Third-Party Security Management Standard provides a framework for managing third-party information security risks and defines controls to minimize risks to the Company. It applies to third parties who have access to or process Company information. This framework includes processes for conducting, as appropriate, due diligence, risk assessment and planning, contract management, access control, ongoing monitoring, and possible service termination of, or changes to the third-party as part of the selection and management process. We have implemented a Threat Intelligence function that informs of external cyber threats which allows us to proactively protect the Company and to allow us to improve the speed of our vulnerability management capabilities. Cybersecurity threats have to date not materially affected us, our business strategy, results of operations or financial condition. Similar to other companies, we and our third-party vendors have and will continue to experience threats to our systems and data. Board Oversight of Risks from Cybersecurity Threats The Board of Directors (“Board”) oversees risk management related to the operation of the business and corporate functions as well as the implementation of business strategy. Our Board has delegated to the Audit Committee oversight of risk management, which includes risks from cybersecurity threats. We routinely review critical elements of our cybersecurity policies and program with the Audit Committee. The management team - including our Chief Information Security Officer (“CISO”) - provides periodic reports to the Audit Committee which cover cybersecurity and other information technology risks affecting the Company. Such reports are typically provided at an Audit Committee meeting and enable Audit Committee members to ask questions of management and engage in additional discussions in an open forum. The Audit Committee also periodically evaluates our overall cybersecurity strategy. Management’s Role in Assessing and Managing Material Risks from Cybersecurity Threats Our Information Security Steering Committee (“ISSC”) is responsible for oversight of matters related to information security and currently consists of professionals in legal operations and risk management, information governance, human resources operations, internal audit, computerized systems, global security and technical operations, and research technology, all whose input bring significant value when assessing and managing cybersecurity risk. Our ISSC meets periodically and is presented with an update on cybersecurity matters from our CISO. Our CISO is responsible for facilitating the implementation of the plans and decisions made by the ISSC and directly provides updates to the Audit Committee as detailed above. Our Vice President of Global Technology Solutions head our Global Technology Solutions Team along with our CISO are responsible for leading the individuals tasked with maintaining our enterprise-wide cyber resilience strategy, policy, standards, architecture, and processes. Our CISO has over eighteen years of information technology and cybersecurity experience in multiple industries, including building and leading governance, risk, and compliance functions that cover ISO 27001 certified compliance, NIST Cybersecurity Framework assessments, Sarbanes-Oxley (“SOX”) information technology compliance, regional compliances, policy management, information technology risk management, vendor risk management, and security awareness. Our Vice President of Global Technology Solutions has over twenty years of experience leading technology organization and managing information security across multiple industries, including SOX 404 compliance, GxP audit and compliance, NIST Cybersecurity Framework assessments, managing incident response and communication with executives and board of directors .

Company Information