Sage Therapeutics, Inc. 10-K Cybersecurity GRC - 2024-02-14

Page last updated on April 11, 2024

Sage Therapeutics, Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-02-14 07:20:39 EST.

Filings

10-K filed on 2024-02-14

Sage Therapeutics, Inc. filed an 10-K at 2024-02-14 07:20:39 EST
Accession Number: 0000950170-24-014934

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity Risk Management and Strategy As is the case for similar companies of our size and industry, we may be the target of cyberattacks and other cyber incidents and, therefore, cybersecurity is an important element of our overall enterprise risk management program. We have certain processes to systematically evaluate, identify, address, and manage cybersecurity risks, which are built into our overall risk management program and are designed to help safeguard our information assets and operational integrity from internal and external cyber threats, protect employee information from unauthorized access or attack, as well as secure our networks and systems. Such processes include physical, procedural, and technical safeguards, response plans, and continuity exercises on our systems. We also routinely review our policies and procedures to identify risks and refine our practices. By prioritizing cyber risk comprehension and management, we aim to enhance business resiliency, protect information from unauthorized access or attacks, and secure our digital footprint. 87 We engage certain external parties, including cybersecurity and privacy firms, to enhance our cybersecurity oversight and risk reduction abilities. We also perform an annual cybersecurity assessment designed to help align our cybersecurity program with industry best practices. In addition, we regularly consult with industry groups, peer organizations, and external executives to assess the cybersecurity threat landscape throughout the year. Our cybersecurity policies, standards, and procedures include cyber and data breach response plans benchmarked against multiple cybersecurity risk frameworks. Our incident response plan is designed to help coordinate the response to and recovery from cybersecurity incidents and includes processes to identify, investigate, triage, assess the severity of, escalate, contain, and remediate incidents and comply with applicable legal or regulatory obligations. We also regularly perform technical reviews of our systems to help secure our digital environment and confirm software patches are appropriately up-to-date. To oversee and identify risks from cybersecurity threats associated with our use of third-party service providers, we have implemented a third-party risk management program designed to help protect against information misuse and assess the information technology security measures of potential third parties and business partners. We perform a third-party risk assessment before starting a relationship with certain service providers and utilize a third-party risk intelligence program to monitor the activity of critical vendors following engagement. In addition, we maintain cyber insurance coverage as part of our overall risk mitigation strategy. This cyber insurance coverage may not be sufficient to cover against all claims. We do not believe that there are currently any risks from cybersecurity threats that are reasonably likely to materially affect us or our business strategy, results of operations or financial condition. Governance Our Audit Committee of the Board of Directors provides direct oversight over cybersecurity risk. Beginning in 2024, the Audit Committee receives annual updates from management regarding cybersecurity matters and is notified between such updates regarding significant new cybersecurity threats or incidents, if applicable. We also have a cybersecurity steering committee responsible for assisting with our overall day-to-day cybersecurity responsibilities and implementing our cybersecurity programs. The cybersecurity steering committee is currently comprised of members of our digital and enterprise capabilities team and is chaired by our executive director of cybersecurity. Among other things, the cybersecurity steering committee: reviews our internal controls to help protect our information assets; assists with developing practices, procedures, and controls designed to identify, assess, and manage critical cybersecurity programs and risks; and works to align our risk governance structure, including policies and procedures, with our business objectives. The chair of the cybersecurity steering committee, our executive director of cybersecurity, has over 25 years of information technology industry experience including 20 years focused on cybersecurity, and master s degrees in a cybersecurity discipline and in business administration, in addition to multiple certifications related to information technology and cybersecurity. In addition, to help prevent and detect cybersecurity threats, we provide all employees, including part-time and temporary employees, with monthly cybersecurity and privacy training, which covers timely and relevant cybersecurity topics, including social engineering, phishing, password protection, confidential data protection, asset use, and mobile security.

Company Information