REPLIGEN CORP 10-K Cybersecurity GRC - 2025-03-13

Page last updated on March 14, 2025

REPLIGEN CORP reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-03-13 19:14:28 EDT.

Company Summary

Repligen is a biopharmaceutical company developing consumable products for the manufacture of biological drugs.

Filings

10-K filed on 2025-03-13

REPLIGEN CORP filed a 10-K at 2025-03-13 19:14:28 EDT
Accession Number: 0000950170-25-038999

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBERSECURITY Governance Related to Cybersecurity Risks 33 Our Board of Directors (“Board”) holds overall oversight responsibility for the Company’s strategy and risk management, including in relation to cybersecurity risks. Our Board exercises its oversight function through the Audit Committee, which oversees the management of risk exposure across various areas, including data security risks, in accordance with its charter. The Audit Committee receives quarterly reports from our Chief Information Officer (“CIO”) on the status of the Company’s cybersecurity program, including measures implemented to monitor and address cybersecurity risks and threats, as appropriate. Our enterprise risk management committee (“ERMC”) is composed of senior management, including the CIO and other senior executives. The ERMC monitors and oversees risk areas that potentially could pose a high impact to the business, and cybersecurity currently is one of the ERMC’s priority focus areas. The ERMC reports on our top identified risks and steps to address those risks to the full Board on a semi-annual basis . Our CIO has over twenty years of information technology experience. Our IT Infrastructure & Security Operations teams manage the day-to-day administration of our cybersecurity program. We also work with a managed security service provider to monitor for vulnerabilities and threats. The service provider has the authority to take actions to remediate critical and high vulnerabilities, and these are reported to the IT Infrastructure & Security Operations team and up to the CIO and other members of senior management, where appropriate. We engage employees in our cybersecurity efforts through a quarterly process for employees to complete mandatory security and awareness training as well as monthly simulated phishing campaigns. We also conduct specific training and tabletop exercises for key personnel involved in cybersecurity risk management. Cybersecurity Risk Management and Strategy We maintain a cybersecurity program, which is informed by industry standards, that includes processes for identification, assessment, and management of cybersecurity risks and which is integrated into our larger enterprise-wide risk management program . We conduct periodic risk assessments, including with support from external vendors, to assess our cyber program, identify areas of enhancement, and develop strategies for the mitigation of cyber risks. We also conduct regular security penetration testing and have established a vulnerability management process supported by security testing, for the treatment of identified security risks based on severity. Third-parties that access, process, collect, share, create, store, transmit or destroy our information or have access to our systems may have additional contractual controls. Our IT Infrastructure & Security Operations team is informed about and monitors the prevention, detection, mitigation, and remediation of cybersecurity risks through various means, including by leveraging managed security service providers and other third-party security software and technology services . In addition, we institute processes and technologies for the monitoring of security alerts from internal parties and external resources, including from information security research sources. We also have implemented processes and technologies for network monitoring and data loss prevention procedures. We have been subject to cybersecurity incidents in the past, including the publicly disclosed July 2024 security incident. Although we do not believe that risks from cybersecurity threats, including as a result of any previous cybersecurity incidents have materially affected us, our business strategy, results of operations or financial condition, there is no guarantee that past security incidents and any future incidents will not have a material impact on our business strategy, results of operations, or financial condition in the future. See Item 1A, “Risk Factors,” to this report for more information. 34

Company Information