REGENERON PHARMACEUTICALS, INC. 10-K Cybersecurity GRC - 2024-02-05

Page last updated on April 11, 2024

REGENERON PHARMACEUTICALS, INC. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-02-05 09:16:15 EST.

Filings

10-K filed on 2024-02-05

REGENERON PHARMACEUTICALS, INC. filed an 10-K at 2024-02-05 09:16:15 EST
Accession Number: 0001804220-24-000009

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity Risk Management and Strategy We regularly assess risks from cybersecurity threats; monitor our information systems for potential vulnerabilities; and test those systems pursuant to our cybersecurity policies, processes, and practices, which are integrated into our overall risk management program. To protect our information systems from cybersecurity threats, we use various security tools that are designed to help identify, escalate, investigate, resolve, and recover from security incidents in a timely manner. Our Technology Risk Management Committee, which is comprised of representatives from our business operations and support functions (e.g., legal, finance, internal audit, commercial, privacy), assesses risks based on probability and potential impact to key business systems and processes. Risks that are considered high are incorporated into our overall risk management program. A mitigation plan is developed for each identified high risk, with progress reported to the Technology Risk Management Committee and tracked as part of our overall risk management program overseen by the Audit Committee of our board of directors. We collaborate with third parties to assess the effectiveness of our cybersecurity prevention and response systems and processes. These include cybersecurity assessors, consultants, and other external cybersecurity experts to assist in the identification, verification, and validation of cybersecurity risks, as well as to support associated mitigation plans when necessary. We have also 70 Table of Contents developed a third-party cybersecurity risk management process to conduct due diligence on external entities, including those that perform cybersecurity services. Cybersecurity threats, including those resulting from any previous cybersecurity incidents, have not materially affected our Company, including our business strategy, results of operations, or financial condition. We do not believe that cybersecurity threats resulting from any previous cybersecurity incidents of which we are aware are reasonably likely to materially affect our Company. Refer to the risk factor captioned " Significant disruptions of information technology systems or breaches of data security could adversely affect our business " in Part I, Item 1A. “Risk Factors” for additional description of cybersecurity risks and potential related impacts on our Company. Governance Our board of directors oversees our risk management process, including as it pertains to cybersecurity risks, directly and through its committees. The Audit Committee of the board oversees our risk management program, which focuses on the most significant risks we face in the short-, intermediate-, and long-term timeframe. Audit Committee meetings include discussions of specific risk areas throughout the year, including, among others, those relating to cybersecurity threats, and reports from the Chief Audit Executive on our enterprise risk profile on an annual basis. The Audit Committee reviews our cybersecurity risk profile with management on a periodic basis using key performance and/or risk indicators. These key performance indicators are metrics and measurements designed to assess the effectiveness of our cybersecurity program in the prevention, detection, mitigation, and remediation of cybersecurity incidents. We take a risk-based approach to cybersecurity and have implemented cybersecurity policies throughout our operations that are designed to address cybersecurity threats and incidents. The Company’s Chief Information Security Officer (“CISO”), in coordination with the Chief Information Officer and the Technology Risk Management Committee, is responsible for the establishment and maintenance of our cybersecurity program, as well as the assessment and management of cybersecurity risks. The current CISO has over 35 years of experience in information security and possesses the requisite education, skills, experience, and industry certifications expected of an individual assigned to these duties. The CISO provides periodic updates on our cybersecurity risk profile to management’s Technology Risk Management Committee, the Audit Committee of our board of directors, and the Audit Committee chair.

Company Information