Esperion Therapeutics, Inc. 10-K Cybersecurity GRC - 2025-03-07

Page last updated on March 7, 2025

Esperion Therapeutics, Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-03-07 09:04:34 EST.

Filings

10-K filed on 2025-03-07

Esperion Therapeutics, Inc. filed a 10-K at 2025-03-07 09:04:34 EST
Accession Number: 0001628280-25-011154

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity Cyber Risk Management and Strategy We, under the oversight of the audit committee of our board of directors, have implemented and maintain a cybersecurity framework, informed by the Center of Internet Security, or CIS, cybersecurity framework . This includes policies, processes and technologies designed to minimize risks from cybersecurity threats . We maintain oversight of our third-party vendors with access to our information technology resources through the inclusion of contractual security requirements as appropriate. Our cybersecurity approach is designed to minimize risks from cybersecurity threats identified by internal stakeholders, threat intelligence providers, vulnerability management programs, and security management programs. Our internal team manages and maintains remediation strategies for identified risks, and reports on them periodically to senior leadership. We also require our employees to participate in monthly cybersecurity awareness trainings, which include phishing awareness simulations, to raise employee awareness of cybersecurity risks. As appropriate, we assess our internal controls, including controls around our information technology systems and their impact on our financial statements or systems, through either independent audits or internal assessments with the assistance of third party resources . To date, we have not identified any cybersecurity incidents or threats that have materially affected us or are reasonably likely to materially affect us, including our business strategy, results of operations, or financial condition; however, like other companies in our industry, we have, from time to time, experienced threats and cybersecurity incidents relating to our information technology systems and infrastructure. Our third party vendors may also experience threats and cybersecurity incidents from time to time. For more information, please refer to Item 1A, “Risk Factors,” in this Annual Report on Form 10-K. Governance Related to Cybersecurity Risks Our cybersecurity program and related operations and processes are directed by our Executive Director of Information Technology, whom we refer to as the IT Director . Currently, the IT Director role is held by an individual who has over 16 years of cybersecurity, information technology, and systems engineering experience. The Director of IT reports to our management - currently the Chief Business Officer. The IT Director meets with the Chief Financial Officer, the Chief Compliance Officer, and the General Counsel periodically to monitor and review the outcomes of our cybersecurity program and to discuss and decide matters related to cybersecurity treatment strategy (including mitigations). The IT Director and the Chief Financial Officer provide periodic reports to the audit committee on cybersecurity risk management, and, quarterly, the Chief Financial Officer updates the audit committee of any material changes in the Company’s cybersecurity framework or cybersecurity activity. The audit committee is responsible for reviewing and overseeing our risk management process, including risks from cybersecurity threats, pursuant to the audit committee charter. Our board of directors, as a whole and through its committees, has responsibility for the oversight of risk management. In its risk oversight role, our board of directors has the responsibility to confirm that the risk management processes designed and implemented by management are appropriate and functioning as designed.

Company Information