IRONWOOD PHARMACEUTICALS INC 10-K Cybersecurity GRC - 2025-03-31

Page last updated on March 31, 2025

IRONWOOD PHARMACEUTICALS INC reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-03-31 07:07:37 EDT.

Filings

10-K filed on 2025-03-31

IRONWOOD PHARMACEUTICALS INC filed a 10-K at 2025-03-31 07:07:37 EDT
Accession Number: 0001558370-25-004072

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity We have a multilayered framework for assessing, identifying, detecting and responding to reasonably foreseeable cybersecurity risks and threats. To protect our information technology, or IT, systems from cybersecurity threats, we use various security tools that help prevent, identify, escalate, investigate, resolve and recover from identified vulnerabilities and security incidents in a timely manner. In the event of a material change to our systems or operations, we would conduct an assessment of the internal and external threats to the security, confidentiality, integrity, and availability of our data and systems, along with other material risks to our operations. We leverage third-party security services for audit, benchmarking, and improvement and use various tools and methodologies to manage cybersecurity risks that are tested regularly, including a cybersecurity assessment guided by the National Institute of Standards and Technology (NIST) cybersecurity framework and ongoing security awareness training. We oversee third-party service providers by conducting vendor diligence upon onboarding and ongoing monitoring. Vendors are assessed for risk based on the nature of their digital footprint, company profile, domain name services health, internet protocol reputation, external access threats and social engineering landscapes, based on that assessment, we conduct diligence that may include completing security questionnaires, onsite evaluation, and scans or other technical evaluations. We also monitor and evaluate our cybersecurity posture and performance on an ongoing basis through regular vulnerability scans, simulated phishing tests, penetration tests, and threat intelligence feeds. The results of these assessments are reported to the Audit Committee of the Board of Directors. We have developed an incident response plan designed to coordinate the activities that we and our third-party service providers take to prepare to respond and recover from cybersecurity incidents, which include processes to triage, assess severity, investigate, escalate, contain, and remediate an incident, as well as to comply with potentially applicable legal obligations and mitigate any reputational damage. Our business strategy, results of operations and financial condition have not been materially affected as a result of previously identified cybersecurity incidents, but we cannot provide assurance that they will not be materially affected in the future by such cybersecurity risks or any future material incidents. For more information on our cybersecurity-related risks, see Item 1A, Risk Factors , elsewhere in this Annual Report on Form 10-K. The Company’s Senior Vice President, Controller and Principal Accounting Officer is responsible for managerial oversight of our cybersecurity program and reporting on cybersecurity matters to the Audit Committee of the Board of Directors and management. Our Senior Vice President, Controller and Principal Accounting Officer oversees the cybersecurity team, which include members of our internal IT department and is also supported by third-party service providers. Our Board of Directors is responsible for overseeing our enterprise risk management activities in general, and each of our Board committees assists the Board in the role of risk oversight. The Audit Committee of the Board of Directors oversees our cybersecurity risk and receives regular reports , with a minimum frequency of once per year, from our Senior Vice President, Controller and Principal Accounting Officer on various cybersecurity matters, including risk assessments, mitigation strategies, areas of emerging risks, incidents and industry trends, and other areas of importance. Promptly after becoming aware of a material cybersecurity incident affecting our IT systems or data, the Audit Committee would work with management to formulate a mitigation plan and review compliance with such plan, as well as to ensure compliance with any external regulatory or disclosure requirements, including any disclosures of material cybersecurity breaches.

Company Information