Amylyx Pharmaceuticals, Inc. 10-K Cybersecurity GRC - 2025-03-04

Page last updated on March 4, 2025

Amylyx Pharmaceuticals, Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-03-04 06:24:17 EST.

Filings

10-K filed on 2025-03-04

Amylyx Pharmaceuticals, Inc. filed a 10-K at 2025-03-04 06:24:17 EST
Accession Number: 0000950170-25-031309

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity. Risk Management and Strategy We recognize that cybersecurity threats have been increasing in number and severity in the general marketplace and in our industry. In an effort to address the threat landscape, we maintain a cybersecurity risk management strategy that is designed to identify, assess, manage, and address cybersecurity threats that may have a material impact on our business. Our cybersecurity risk management strategy includes various policies and components, including cybersecurity assessments, an incident response plan, evaluation of the security practices of our key vendors, and cybersecurity awareness training for our staff. We engage a third-party to conduct a cybersecurity risk assessment on an annual basis, which is informed by the National Institute of Standards and Technology, or NIST Cybersecurity Framework. We have established a process for our IT security team to track and quantify known IT security risks and our remediation efforts through a cybersecurity risk register. The IT security team meets periodically to review and update the cybersecurity risk register based on feedback across the organization and the findings contained in our NIST-informed annual cybersecurity risk assessment. The IT security team reports on findings on at least an annual basis to the executive leadership team and the board of directors. We have established a process to review and assess vendors’ security posture and practices prior to their onboarding. Vendors that access, store or process our data are required to respond to a cybersecurity questionnaire and provide applicable security audit reports and certifications. Our process also includes contractual requirements to maintain data protection safeguards for vendors that process data on our behalf. We maintain a security awareness training program for employees, which is provided through digital microlearning assignments. We also provide additional mandatory trainings, including phishing training, throughout the year. We maintain a Written Information Security Program, or WISP, that defines our organization’s cybersecurity policies and procedures. This covers all aspects of cybersecurity, including but not limited to risk management, third party security assessments, security awareness training, acceptable use, endpoint security, patch management, log management, backup and recovery. We face a number of cybersecurity risks in connection with our business. Although such risks have not materially affected, and we do not believe they are reasonably likely to materially affect, our business strategy, results of operations or financial condition, to date, we have, from time to time, experienced threats to and security incidents related to our and our third-party vendors’ information systems. For more information about the cybersecurity risks we face, see the risk factor entitled “Cyber-attacks or other failures in our telecommunications or IT systems, or those of our collaborators, CROs, third-party logistics providers, distributors or other contractors or consultants, could result in information theft, data corruption and significant disruption of our business operations” in Item 1A- Risk Factors. Governance of Cybersecurity Risks Our board of directors is responsible for the general oversight of cybersecurity risks and is informed of key updates to our cybersecurity processes by relevant members of our executive leadership team on at least an annual basis. Our executive leadership team meets with our Head of Global Information Technology, along with other members of our IT security team as needed, to discuss cybersecurity matters, such as the emerging cybersecurity threat landscape, significant developments to our cybersecurity processes, and our cybersecurity risk assessments. Senior management is thus kept abreast of the cybersecurity posture and potential risks facing our company. Our cybersecurity incident response process is designed to proactively triage, contain, investigate, mitigate and correct all incidents at the direction of the Head of Global Information Technology. Critical incidents are assessed for materiality, and escalated to the executive leadership team for awareness, direction and approval as needed. Furthermore, significant cybersecurity matters, and strategic risk management decisions are escalated to the Board of Directors, as needed, to provide oversight and guidance on critical cybersecurity issues. 90 Our IT security team, led by the Head of Global Information Security, Governance and Architecture (“Head of Global ISGA”), is responsible for managing and directing the day-to-day information security strategy of the organization, including oversight of our cybersecurity tools , controls and strategies to protect organization assets, networks and data. The Head of Global ISGA reports to our Head of Global Information Technology. The Head of Global ISGA routinely reports on cybersecurity risks, projects, and initiatives to the Head of Global Information Technology, who regularly reports to executive management and the audit committee on these matters as described above. The Head of Global ISGA maintains a Certified Information Systems Security Professionals, or CISSP, certification and has more than two decades of IT security management experience. The IT security team is supported by external vendors that provide managed services for network support, security operations and other IT areas as needed. Our IT security team also meets regularly with our Global Privacy Committee, which oversees our Enterprise Data Protection Program, to coordinate on cybersecurity initiatives and strategy related to protection of personal data.

Company Information