ALUMIS INC. 10-K Cybersecurity GRC - 2025-03-19

Page last updated on March 19, 2025

ALUMIS INC. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-03-19 16:23:37 EDT.

Filings

10-K filed on 2025-03-19

ALUMIS INC. filed a 10-K at 2025-03-19 16:23:37 EDT
Accession Number: 0001847367-25-000012

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity Risk Management and Strategy We manage cybersecurity risks utilizing a risk-based approach that incorporates various information security processes designed to identify, assess and manage risks from cybersecurity threats, including potential unauthorized access to our critical information technology systems and data. Depending on the environment, we maintain certain controls, systems, and other processes designed to identify, assess and manage our cybersecurity threats and risks, such as: maintaining network security controls, maintaining email security tools, utilizing certain third-party managed security services, such as managed detection and response, monitoring threat intelligence bulletins, conducting penetration tests and vulnerability scans, maintaining cybersecurity insurance, and conducting periodic employee cybersecurity training. Our assessment and management of material risks from cybersecurity threats are integrated into the Company’s overall enterprise risk management processes . For example, we evaluate and manage material risks arising from cybersecurity threats, along with other significant risks we face, against our overall business objectives and within our overall enterprise risk management practices. The audit committee of our board of directors (the “Audit Committee”) evaluates our overall enterprise risks. We use service providers to assist us from time to time to identify, assess, and manage material risks from cybersecurity threats, including for example, outside security consultants and vendors, third party penetration testing providers, and forensic providers. Further, we use third-party service providers to perform a variety of functions throughout our business, such as software-as-a-service providers, data hosting companies, and contract research organizations. We maintain a vendor risk management process designed to help manage cybersecurity risks associated with our use of these providers. Depending on the nature of the services provided, the sensitivity of the Company systems and data at issue, and the identity of the provider, our vendor risk management process may involve different levels of assessment designed to help identify cybersecurity risks associated with a provider, including, for example, security questionnaires and the imposition of contractual obligations related to cybersecurity on the provider. For a description about risks from cybersecurity threats that may materially affect the Company and how they may do so, see our Risk Factors under Part I, Item 1A., under the heading “If our information technology systems, or those used by our CROs, CMOs, clinical sites or other third parties with whom we work, or our data are or were compromised, become unavailable or suffer security breaches, loss or leakage of data or other disruptions, we could suffer material adverse consequences resulting from such compromise, including but not limited to, operational or service interruption, harm to our reputation, regulatory investigations or actions, litigation, fines, penalties and liability, and other adverse consequences to our business, results of operations, and financial condition.” Governance The board of directors addresses the Company’s cybersecurity risk management as part of its general oversight function. The Audit Committee has been designated by our board of directors to oversee the Company’s cybersecurity risk management process, including oversight of mitigation of risks from cybersecurity threats. Our cybersecurity risk assessment and management processes are implemented and maintained by a dedicated information technology team, led by our Executive Director of Information Technology who has over twenty years of experience managing information technology systems and cybersecurity risks and who reports directly to our Chief Financial Officer. Our Executive Director of Information Technology is responsible for hiring appropriate personnel, helping to integrate cybersecurity risk considerations into the Company’s overall risk management strategy, and communicating key priorities to relevant personnel. Our Executive Director of Information Technology, together with certain other senior management personnel, is responsible for approving functional cybersecurity budgets, implementing approved, phase-appropriate cybersecurity policies, plans and/or guidelines, reviewing security assessments and other security-related reports and overseeing cybersecurity processes. Our incident response processes are designed to escalate certain incidents to members of management (including the Chief Financial Officer) depending on the circumstances. Our Executive Director of Information Technology works with the Company’s cybersecurity incident responders to help the Company mitigate and remediate cybersecurity incidents of which they are notified. The Company’s incident response processes also include reporting to the Disclosure Committee and the Audit Committee for certain cybersecurity incidents. In addition, the Audit Committee receives periodic updates on cybersecurity risks and information technology matters, including related risk exposures and the processes the Company has implemented to address them, from management.

Company Information