Akebia Therapeutics, Inc. 10-K Cybersecurity GRC - 2025-03-13

Page last updated on March 13, 2025

Akebia Therapeutics, Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-03-13 07:27:55 EDT.

Filings

10-K filed on 2025-03-13

Akebia Therapeutics, Inc. filed a 10-K at 2025-03-13 07:27:55 EDT
Accession Number: 0001628280-25-012470

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity. Cybersecurity Risk Management and Strategy We have certain processes for assessing, identifying, and managing material risks from cybersecurity threats, which are integrated into our enterprise risk management processes. Specifically, we have processes for: - Identifying and Managing Cybersecurity Risks - We have implemented a cross-functional approach to assessing, identifying and managing material cybersecurity threats and incidents. We periodically review, assess, update and test our policies, standards, processes and practices in a manner intended to address cybersecurity threats and events. The results of such reviews, assessments and tests are evaluated by management and reported to our Audit Committee of the Board of Directors, or the Audit Committee , and our Board of Directors. - Technical Safeguards - We have integrated cybersecurity into our overall information technology operations and designed our processes and systems to help protect our information assets and operations from internal and external cyber threats, protect employee and patient information from unauthorized access or attack as well as secure our networks and systems. - Incident Response and Recovery Planning - To better facilitate our cybersecurity program, our cybersecurity team works collaboratively across our Company to implement programs designed to protect our information systems from cybersecurity threats and to promptly respond to any material cybersecurity incidents. We conduct periodic tabletop exercises, including incident simulations to test these plans and ensure personnel are familiar with their roles and responsibilities in a response scenario. - Third-Party Risk Management - We maintain a risk-based approach to identifying and overseeing material cybersecurity threats presented by third parties and the systems of third parties that could adversely impact our business in the event of a material cybersecurity incident affecting those third-party systems. Also, we engage certain external cybersecurity firms to enhance our cybersecurity oversight and cybersecurity breach detection over third party service providers. - Education and Awareness - We provide training regarding cybersecurity threats as a means to equip our employees and consultants with tools to make employees and consultants aware of and to address cybersecurity threats, and to communicate our evolving information security policies, standards, processes and practices. We also use technology-based tools to mitigate cybersecurity risks and to bolster our employee-based cybersecurity programs. We adjust our cybersecurity policies, standards, processes, and practices as necessary based on the information provided by our assessments, audits and reviews. Such processes include (i) procedural and technical safeguards, (ii) response plans, (iii) periodic tests on our systems, (iv) incident simulations and (v) routine review of our cybersecurity policies and procedures to identify risks and improve our practices. We engage certain external cybersecurity firms to enhance our cybersecurity oversight. We include confidentiality provisions in all contracts with third-party service providers, and data protection provisions in certain contracts with third-party service providers where applicable, to help protect us and our employees and patients from any related vulnerabilities. Governance Our Board of Directors is responsible for exercising oversight of management’s identification and management of, and planning for, risks from cybersecurity threats. While the full Board of Directors has overall responsibility for risk oversight, the Board of Directors has delegated oversight responsibility related to risks from cybersecurity threats to the Audit Committee of our Board of Directors. The Audit Committee reports to the Board of Directors at least annually, and notifies the Board of Directors as necessary regarding significant new cybersecurity threats or incidents. The Audit Committee meets annually to discuss our approach to overseeing cybersecurity threats with management, including with members of our internal cybersecurity team. We use an internal management team to run our information technology and cybersecurity functions, which includes our information and cybersecurity team leads who have collectively served in various roles in information technology and information security for over 25 years, including at other public companies. Through ongoing communications with this management committee, senior management is informed about and monitors the prevention, detection, mitigation and remediation of cybersecurity threats and incidents in real-time and reports such threats and incidents to the Audit Committee, when appropriate. Management updates the Audit Committee quarterly regarding our cybersecurity threat risk management and strategy programs. Members of the Audit Committee are also encouraged to regularly engage in ad hoc Akebia Therapeutics, Inc. | Form 10-K | Page conversations with management on cybersecurity-related topics and discuss any updates to our cybersecurity risk management and strategy programs. The Audit Committee is notified between such updates regarding significant new cybersecurity threats or incidents that meet pre-established reporting thresholds and any ongoing updates regarding any risk, as needed. We have not identified any risks from cybersecurity threats, including as a result of any previous cybersecurity incidents, that have materially affected or are reasonably likely to materially affect our company, including our business strategy, results of operations or financial condition. However, as discussed under “Risk Factor - Risks Related to our Business and Managing Growth” in Part I, Item 1A of this Form 10-K, cybersecurity threats could pose multiple risks to us. As cybersecurity threats become more frequent, sophisticated, and coordinated, it is reasonably likely that we will be required to expend greater resources to continue to modify and enhance our protective measures.

Company Information