EXELIXIS, INC. 10-K Cybersecurity GRC - 2024-02-06

Page last updated on April 11, 2024

EXELIXIS, INC. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-02-06 16:49:11 EST.

Filings

10-K filed on 2024-02-06

EXELIXIS, INC. filed an 10-K at 2024-02-06 16:49:11 EST
Accession Number: 0000939767-24-000028

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity. Risk Management and Strategy We maintain a cybersecurity and information security program, which leverages best practices and standards. Risks from cybersecurity threats are regularly evaluated as part of our broader risk management activities and as a fundamental component of our internal control system. The scope of our evaluation encompasses risks that may be associated with both our internally managed IT systems and key business functions and sensitive data operated or managed by third-party service providers. All employees receive cybersecurity training upon hire with annual or more frequent training thereafter with job-specific topic considerations. Our IT team engages third-party vendors to assist with providing timely cybersecurity threat alerts in addition to monitoring cybersecurity threats and our defenses against cyberattacks. This monitoring includes the proactive identification of vulnerabilities in our systems with threat intelligence. The employees within our broader IT team who specialize in cybersecurity operations (Security Ops Team) are responsible for coordinating and overseeing the activities of these third-party vendors. Our Information Security Incident Response Plan (Response Plan) sets forth our response protocol for cybersecurity threats and cybersecurity incidents and is maintained by the Information Security Governance Committee (InfoSec Committee), which reviews the Response Plan on an annual basis. The InfoSec Committee is comprised of IT department leaders and members of our senior management team and is a subcommittee of our Ethics Committee, which provides reports to the Risk Committee of our Board of Directors. Our Response Plan is designed to provide a framework for how we identify, escalate and respond in the event of a data security breach and designates personnel who are responsible for these functions. Our Security Ops Team evaluates security alerts received from various sources, and any alert or threat that the Security Ops Team identifies as a cybersecurity incident (such as a data security breach) is promptly escalated to the InfoSec Committee for further assessment. Upon confirmation that a cybersecurity incident has occurred, our InfoSec Committee will establish an incident response team, which may include representatives from our internal departments, as well as outside legal counsel or other external cybersecurity consultants or service providers. The Incident Response Team aims to develop a coordinated response strategy, entailing risk containment, notification processes, system restoration, incident documentation and assessment, data preservation and forensic analysis. The InfoSec Committee evaluates the implications of cybersecurity incidents to determine whether such incidents have had or are reasonably likely to have a material effect on our business strategy, financial condition, and results of operations. If a cybersecurity incident is deemed material by our InfoSec Committee, our Chief Financial Officer or General Counsel will notify the other members of our senior management team and the Chair of the Risk Committee of our Board of Directors as needed. Cybersecurity threats, including as a result of any previous cybersecurity incidents, have not materially affected and we believe are not reasonably likely to affect us, including our business strategy, results of operations or financial condition. We and our third-party service providers have frequently been the target of cybersecurity threats and expect them to continue, and for an additional description of these cybersecurity risks and potential related impacts on us, see Risk Factors in Part I, Item 1A of this Annual Report on Form 10-K. Governance Board of Directors and Board Committees. In accordance with our Corporate Governance Guidelines, the Board of Directors, both directly and through its committees (including the Risk Committee) oversees the proper functioning of our risk management process. In particular, the Risk Committee assists the Board in its oversight of management s responsibility to assess, manage and mitigate risks associated with the Company s business and operational activities and to administer the Company s various compliance programs, in each case including data privacy and cybersecurity concerns. The Board and the Risk Committee each meet at regularly scheduled and special meetings throughout the year at which meetings management reports to the Board concerning the results of its risk management activities, as well as external factors that may change the levels of business risk to which we are exposed. Specifically, the Risk Committee receives regular updates from members of the InfoSec Committee or Ethics Committee, as often as necessary but at least once per year, with respect to our cybersecurity threats and responses to any cybersecurity incidents. 60 Table of Contents Management s Responsibilities. Management has implemented risk management structures, policies and procedures, and manages our risk exposure on a day-to-day basis. Accordingly, management assesses and responds to cybersecurity threats as part of our ongoing risk assessment and as an internal control over financial reporting. Our Security Ops Team directs our cybersecurity operations and risk responses. Members of the SecOps Team then meet with the InfoSec Committee at least once every quarter to review and assess cybersecurity incidents and non-incident threats (and response measures undertaken) to determine if any adjustment to our cybersecurity risk assessment is required. At least once every year, members of the Security Ops Team and the Vice President of Information Technology present our cybersecurity risk evaluation and threat response to the Ethics Committee and to the Risk Committee of the Board of Directors as needed. The InfoSec Committee is a subcommittee comprised of IT department leaders and members of the senior management team, including the Chief Executive Officer, Chief Financial Officer (who has oversight of our IT and cybersecurity activities), General Counsel (who has oversight of our compliance activities), and Vice President of Information Technology (who has 20 years of experience managing IT systems and personnel). The Security Ops Team reports to the Vice President of Information Technology, as well as the broader InfoSec Committee. Members of the Security Ops team include IT professionals with extensive experience and education in technology and cybersecurity, and most have attained accreditation as Certified Information Systems Security Professionals, as granted by the International Information System Security Certification Consortium (also known as ISC2).

Company Information