Deciphera Pharmaceuticals, Inc. 10-K Cybersecurity GRC - 2024-02-07

Page last updated on April 11, 2024

Deciphera Pharmaceuticals, Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-02-07 07:11:52 EST.

Filings

10-K filed on 2024-02-07

Deciphera Pharmaceuticals, Inc. filed an 10-K at 2024-02-07 07:11:52 EST
Accession Number: 0001654151-24-000004

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBERSECURITY Cyber Risk Management and Strategy We have developed and maintain an information security program designed to assess, identify, and manage risks from cybersecurity threats. As part of this program, we conduct periodic assessments of our assets to evaluate the effectiveness of applicable security controls. These assessments are informed by industry standard frameworks and include a review of our information security controls to assess cybersecurity maturity compared to our peers and other highly regulated industries. The results of these assessments are reported to the board of directors as part of a cybersecurity update report conducted at least annually. We also engage vendors to assist with enterprise managed detection and response, global security operations center, security information and event management, and enterprise vulnerability management. In addition, we have implemented a cybersecurity third party risk management process to assess mission and business critical third parties for cyber risks and to assist the business in making risk-informed technology product and services decisions. Our practice is to perform due diligence, including the completion of security questionnaires and risk assessments, as appropriate, on third parties who maintain material data or information to help us evaluate and verify third party information security capabilities. 96 Table of Contents We have adopted an Incident Response Management Procedure (the Procedure) that outlines the legal and governance processes for identifying and managing material risks to privacy and security. An incident response team is responsible for carrying out the Procedure and is led by our information & technology (I&T) department, and includes members from our legal and compliance, privacy, investor relations, finance, and quality departments. In addition, our enterprise information security program describes our capabilities and processes for the preparation, detection, analysis, containment, recovery, and reporting of incidents. We also manage and maintain business continuity and disaster recovery capabilities to help ensure the availability of business-critical technology resources during adverse conditions. Governance Related to Cybersecurity Risks Management is responsible for the day-to-day management of risks we face, while our board of directors, as a whole and through committees, has responsibility for the oversight of risk management. Our board of directors oversees the management of our risks from cybersecurity threats. In addition, the full board discusses with management our major risk exposures, their potential impact on us, and the steps we take to manage them. Our Vice President of I&T is responsible for developing, implementing, and maintaining our cybersecurity risk management policies and procedures. The individual currently serving in the role of Vice President of I&T has over twenty-five years of experience in cybersecurity, information security, data protection, privacy, regulatory compliance and risk management within complex and international business verticals such as pharmaceutical/biotech, technology, financial services, and retail. The Vice President of I&T reports to our Chief Financial Officer, and provides periodic cybersecurity updates to our board on at least an annual basis. Our incident response process contemplates that the executive team will notify the board of a material cybersecurity incident. Our cybersecurity steering committee (the Steering Committee) oversees technical matters regarding cybersecurity through periodic meetings and frequent communications. When formal meetings are held, attending committee members include representatives from the I&T, regulatory affairs, quality, finance, and legal and compliance departments. The Steering Committee has a charter that is reviewed internally to ensure it is aligned with our business strategy. As outlined in its charter, the Steering Committee has three key roles: (i) systems assurance: to oversee the establishment and maintenance of effective cybersecurity mechanisms throughout the Company; (ii) documentation: review of documented policies, standards, processes, and procedures that will have a direct or indirect impact on the security and privacy of our information; and (iii) management of information security risk: identify and manage significant cybersecurity risks across the Company, including escalating to our executive leadership team where appropriate.

Company Information