GRAIL, Inc. 10-K Cybersecurity GRC - 2025-03-05

Page last updated on March 5, 2025

GRAIL, Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-03-05 16:29:52 EST.

Filings

10-K filed on 2025-03-05

GRAIL, Inc. filed a 10-K at 2025-03-05 16:29:52 EST
Accession Number: 0001699031-25-000041

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity Risk Management and Strategy Given the importance of cybersecurity to our business, we maintain a cybersecurity program to help support the effectiveness of our systems and our preparedness for cybersecurity risks. Our program is informed by industry frameworks, such as the NIST Cybersecurity Framework, and comprises various components, including policies, procedures and protocols; threat monitoring and alerting; auditing and assessments; and other security controls and tools. We also require cybersecurity trainings when onboarding new employees and contractors, as well as annual cybersecurity awareness training for our employees and contractors. We use various means, including our Enterprise Risk Management (“ERM”) process, in an effort to assess and manage cybersecurity risks that may be associated with our systems, operations, and third-party service providers. We also are working towards enhancing our cybersecurity risk management practices and various other security controls following the Spin-Off, and have at times conducted internal audits and engaged external assessors to help review our cybersecurity program and identify opportunities for maturing our program. For additional information, see “Item 1A-Risk Factors”. Identifying, assessing and managing cybersecurity risks Our cybersecurity team and the owners of information technology systems across the business, led by our Chief Security Officer (“CSO”), monitor current events and trends related to cybersecurity in an effort to anticipate potential risks and threats on current systems and operations. We have implemented or are in the process of implementing various processes to identify, review and track risks to our systems and operations, including through the use of third-party solutions. We also seek to conduct due diligence in connection with the onboarding of new third-party vendors, and reviews are conducted on our critical third-party vendors. Following these assessments, we utilize the findings to improve and mature our cybersecurity practices and to promote continuous improvement. In addition, we have implemented a cybersecurity awareness program to train our employees and contractors on key cyber threats, which includes phishing exercises. In the event of a cybersecurity incident, we have policies and processes for detecting threats and managing incident response. We also periodically conduct cross-functional exercises and activities to help detect, assess and respond to cybersecurity incidents, and have relationships with external providers to assist with incident response efforts, as needed. We also seek to contractually require our third-party service providers to notify us in the event a cybersecurity incident within their systems or services impacts our data or operations. We maintain specific coverage to help mitigate losses associated with certain cybersecurity incidents that impact our or our third parties’ systems, networks and technology. As of December 31, 2024, we are not aware of any risks from cybersecurity threats , or from previous cybersecurity incidents, that have materially affected or are reasonably likely to materially affect the Company. While we maintain a cybersecurity program, the techniques used to infiltrate information technology systems continue to evolve. Accordingly, we may not be able to timely detect threats or anticipate and implement adequate security measures. For additional information, see “Item 1A-Risk Factors”. Governance Our Board of Directors administers its cybersecurity risk oversight function through its Audit Committee. The Audit Committee is charged with reviewing our cybersecurity and other information technology risks, controls, and procedures, including our plan to mitigate cybersecurity risks and respond to data or cybersecurity incidents. The Audit Committee is also charged with reviewing with management cybersecurity issues that could affect the adequacy of our internal controls. At least annually, the Audit Committee meets directly with the CSO and the executive leadership team and receives a report on our cybersecurity program, posture, risks and other matters. At least annually, we conduct an organization-wide ERM process to evaluate key risks in different areas of the business. Among those risks, cybersecurity risks are identified, and scores representing the potential likelihood and severity of each risk are determined. The executive leadership team and Audit Committee receive a direct report of the ERM program findings, including these cybersecurity risks. Third-party assessors, consultants, counsel or other parties also participate in Audit Committee discussions as needed. More broadly, the Audit Committee reviews our policies and practices with respect to risk assessment and risk management, including results from our overall Enterprise Risk Management (“ERM”), and discusses with management our major financial risk exposures and the steps that have been taken to monitor and control such exposures. Cybersecurity is a key piece of our overall ERM program. The Audit Committee oversees the activities of, and meets regularly with, our Chief Compliance Officer, and receives direct reports from the Chief Compliance Officer regarding the ERM structure and activities of our compliance program, including updates on training, policies, auditing and monitoring, investigations and any corrective and preventive actions . As part of the ERM program, our Chief Compliance Officer gathers information about cybersecurity risk, and that information is included in the Chief Compliance Officer’s report to the Audit Committee. The CSO is responsible for implementing and overseeing the controls and processes employed to identify, assess and manage the Company’s risks from cybersecurity threats. We also maintain a Privacy and Security Steering Committee that regularly meets to review and discuss cybersecurity issues and review our cybersecurity-related metrics. The Privacy and Security Steering Committee is comprised of the CSO and other representatives from our cybersecurity, IT, legal, and privacy teams. The CSO, cybersecurity team, and members of the Privacy and Security Steering Committee combined have decades of experience in managing relevant information technology and cybersecurity matters. The CSO also provides regular briefings to our executive leadership team, including the CEO and CFO, and our Audit Committee on cybersecurity matters, such as threats, events, and the state of the program, and at least annually as part of our ERM process. Our security program also includes a yearly audit of our controls towards cybersecurity certifications, including ISO 27001, SOC 2 Type 2, PCI DSS, UK Cyber Essentials, and others.

Company Information