RHYTHM PHARMACEUTICALS, INC. 10-K Cybersecurity GRC - 2025-02-28

Page last updated on March 3, 2025

RHYTHM PHARMACEUTICALS, INC. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-02-28 08:19:11 EST.

Filings

10-K filed on 2025-02-28

RHYTHM PHARMACEUTICALS, INC. filed a 10-K at 2025-02-28 08:19:11 EST
Accession Number: 0001558370-25-001889

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity Cybersecurity Risk Management and Strategy We have developed and implemented a cybersecurity risk management program intended to protect the confidentiality, integrity, and availability of our critical systems and information. We design and assess our cybersecurity program based on the NIST Cybersecurity Framework (CSF). This framework provides us with a common language and structure for identifying, assessing, and managing cybersecurity risks across our organization. We do not claim to comply with the standards or specifications by using this framework. It is a guide to help us manage the cybersecurity risks that are relevant to our business. Our cybersecurity program is integrated into our overall enterprise risk management program, and shares common methodologies, reporting channels and governance processes that apply across the enterprise risk management program to other legal, compliance, strategic, operational, and financial risk areas. To this end, we have implemented a cybersecurity program that includes the following key elements: ● A Cybersecurity Manager responsible for, among other things, developing and maintaining our administrative, technical, and physical cybersecurity controls. ● Risk assessments using the CIS Risk Assessment Method (RAM), which identify material cybersecurity risks to our critical systems and information. ● A vulnerability management program that involves the continuous monitoring of information systems for vulnerabilities, and a process to effectively remediate those vulnerabilities based on criticality level. ● A comprehensive Disaster Recovery plan to ensure IT personnel and Business owners are prepared for any disruption to Rhythm’s business. ● A constantly available Security Operations Center (SOC) to monitor our critical infrastructure and execute immediate, human-led responses to confirmed threats. ● External technology and security providers to assess, test or otherwise assist with aspects of our cybersecurity program. ● Cybersecurity awareness training for employees, including supplemental training for senior management and other personnel who access highly sensitive information. ● A trained incident response team and written procedures to effectively respond to potential computer security incidents. ● A third-party risk management process to evaluate the business risk of working with key service providers and vendors who access sensitive information. We have not identified any cybersecurity incidents that have materially affected our operations, business strategy, results of operations, or financial condition. We face risks from cybersecurity threats that, if realized, are reasonably likely to materially affect us, including our operations, business strategy, results of operations, or financial condition. For more information, see the section titled “Risk Factors- Our information technology systems, or those of our third-party CROs, CMOs or other contractors or consultants, may fail or suffer security breaches, which could result in a material disruption of setmelanotide development programs, regulatory investigations, enforcement actions and lawsuits.” Cybersecurity Governance Our Board considers cybersecurity risk as part of its risk oversight function and has delegated to the Audit Committee (the “Committee”) oversight of cybersecurity risks. The Committee oversees management’s implementation of our cybersecurity program. The Committee receives periodic reports from management on our cybersecurity program and risks. In addition, management updates the Committee, as necessary, regarding any material cybersecurity incidents, as well as any incidents with lesser impact potential. The Committee reports to the full Board regarding its activities and risk management functions, including those related to cybersecurity. Board members receive presentations on cybersecurity risk and strategy from our Senior Cybersecurity Manager, as part of the Board’s continuing education on topics that impact public companies. The Senior Cybersecurity Manager , with the help of our IT and Legal team is responsible for assessing and managing our material risks from cybersecurity threats. This position has the primary responsibility for our overall cybersecurity risk management program and supervises both our internal personnel and our retained external cybersecurity consultants. The current Senior Cybersecurity Manager has extensive information security and program management experience and has held past positions as a virtual CISO for a wide range of organizations. Our management team supervises efforts to prevent, detect, mitigate, and remediate cybersecurity risks and incidents through various means, which may include briefings from internal security personnel and other information obtained from governmental, public, or private sources, including external consultants engaged by us, and alerts and reports produced by security tools deployed in the IT environment.

Company Information