ALNYLAM PHARMACEUTICALS, INC. 10-K Cybersecurity GRC - 2024-02-15

Page last updated on April 11, 2024

ALNYLAM PHARMACEUTICALS, INC. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-02-15 16:23:12 EST.

Filings

10-K filed on 2024-02-15

ALNYLAM PHARMACEUTICALS, INC. filed an 10-K at 2024-02-15 16:23:12 EST
Accession Number: 0001178670-24-000008

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBERSECURITY Risk Management and Strategy We have in place a cross-functional, enterprise-wide cybersecurity program that is integrated into our overall risk management process and strategy and has direct involvement from our senior management and board oversight. Our cybersecurity program is based on industry standard CIS critical security controls. The top risks facing our Company, including those related to cybersecurity, are included in our overall enterprise risk management program that is managed by a cross-functional group chaired by our compliance and internal audit functions. To assess, identify, and manage material risks from cybersecurity threats to our information systems and the associated costs, our cybersecurity program prioritizes vulnerability management and risk reduction, detection and prevention. As part of this program, we conduct continuous monitoring for anomalous behavior using a third-party security operations center. In addition, we conduct an annual cybersecurity risk assessment in conjunction with our third-party consultant that specializes in information security, and we incorporate recommendations from the risk assessment into our cybersecurity strategy, as appropriate. This risk assessment process considers the nature of our business, requirements from our internal and external stakeholders, and industry trends and risks, including new and emerging risks. By continuously assessing the cybersecurity landscape, we develop targeted strategies that identify and address the risks most likely to impact our company. We also conduct at least one cybersecurity incident tabletop exercise each year to test and enhance our incident response plans. Our cybersecurity program is designed to detect and prevent disruption to critical information systems, minimize the loss or manipulation of sensitive information, efficiently remediate and recover from cybersecurity incidents and ensure compliance with regulations and disclosure requirements. Pursuant to our processes, when a cybersecurity incident occurs, we convene a cross-functional incident response team whose membership is dictated by the severity of the incident but in all instances includes representatives from our information technology, legal and accounting departments. This cross-functional representation allows us to leverage diverse perspectives and expertise when addressing cybersecurity events and to analyze the potential financial, legal, operational, and reputational implications of an incident, thereby enabling us to make informed decisions and take appropriate actions. This incident response framework further enables us to quickly assess the severity of cybersecurity incidents and the materiality of incidents based on pre-defined criteria that considers both quantitative and qualitative factors to determine the appropriate response. Identified incidents are then escalated to the relevant management teams based on their severity, allowing for a swift determination of materiality and an effective mitigation process. If we determine that an incident is not material, we continue to monitor it for subsequent developments. We also utilize third-party service providers as a normal part of our business operations. These third-party service providers may have access to our systems and/or sensitive information. To address cybersecurity risks arising from our third-party service providers, we assess and monitor risks relating to potential compromises of sensitive information at our third-party service providers and reevaluate these risks periodically. We categorize our third-party service providers by criticality, based on the criticality and sensitivity of our data each third-party service provider has access to, and, based on this, we employ a risk-based approach for review of the security measures implemented by each third-party service provider. In addition, we obtain periodic attestation reports related to data security and privacy from certain third-party service providers to further support compliance with industry-standard cybersecurity protocols. Additionally, to minimize our enterprise-wide risk and exposure to material cybersecurity incidents, we conduct annual cybersecurity awareness training and education for our employees. By equipping our employees with the necessary knowledge and skills, we intend to cultivate a cybersecurity-conscious culture within our organization. We maintain insurance to provide coverage for a portion of the losses and damages that may result from a physical attack, cybersecurity attack or a security breach. Such insurance is subject to several exclusions and may not cover the total loss or damage caused by an attack or a breach. Consequently, costs related to incidents may not be covered by insurance. 79 Table of Con tents Impact of Cybersecurity Risks on Strategy and Results Our business operations and relationships with customers and suppliers are heavily reliant on technology, and any failure or disruption in our technological systems could have significant negative impacts on our business. For example, we collect, store and transmit sensitive information including intellectual property, proprietary business information, including highly sensitive clinical trial data, and personal information in connection with our business operations. The secure maintenance of this information is critical to our operations and business strategy. If this information was subject to a cybersecurity attack or unauthorized access or use, it could have a material adverse effect on our business and could expose us to potential legal consequences, liabilities, mitigation costs, and damage to our reputation. Managing cybersecurity incidents would also divert management s attention and resources from regular business operations. We believe that our current cybersecurity program provides adequate measures of protection against cybersecurity breaches and generally reduces our risks. However, cybersecurity threats are constantly evolving, becoming more frequent and more sophisticated and are being made by groups of individuals with a wide range of expertise and motives, which increases the difficulty of detecting and successfully defending against them. While we have implemented measures to safeguard our operational and technology systems and have established a culture of monitoring and improvement, the evolving nature of cybersecurity attacks and vulnerabilities means that these protections may not always be effective. However, our management has determined that, during the period covered by this Annual Report on Form 10-K, no cybersecurity threats, including as a result of any previous cybersecurity incidents, have materially affected or are reasonably likely to materially affect our company, including our business strategy, operating results, or financial condition. Governance Our board of directors is responsible for cybersecurity risk management and oversight of our cybersecurity program. The nominating and corporate governance committee of the board of directors assists in the oversight of management s implementation of our information technology policies and monitoring of the risks associated with our information systems, including reviewing and discussing with management our program to identify, assess, manage and monitor cybersecurity risks. The nominating and corporate governance committee regularly reviews technology strategies, physical and cybersecurity threat assessments, emerging issues and related initiatives. In addition, the audit committee of the board of directors coordinates the board of directors oversight of our disclosure controls and procedures and ensures that we have in place appropriate internal controls, risk assessment policies and procedures, incident response plans and reporting mechanisms. The nominating and corporate governance committee coordinates with the board of directors and audit committee, as appropriate, on matters related to cybersecurity risk. Our board of directors delegates execution of our cybersecurity program to our Chief Information Security Officer, or CISO, who is responsible for the day-to-day management of our cybersecurity program. Our CISO has over 25 years of information security and information technology risk expertise in multiple industries, including financial, manufacturing, healthcare and life sciences, and holds industry standard certifications, including CISSP, CRISC and CISM. Our CISO, together with our Chief Information Officer, or CIO, provides at least two presentations each year to our board of directors or nominating and corporate governance committee on cybersecurity incidents, security program updates and ongoing risks, with additional updates being provided on an as-needed basis. Our CISO also meets periodically with our senior leadership team to review metrics on readiness, incidents, mitigations and remediation. In addition, our internal audit team performs periodic audits of our systems and cybersecurity processes, the results of which are reported to the audit committee and our senior management team. We have established a disclosure committee, which consists of our chief executive officer, chief financial officer, and senior leaders from finance, legal, accounting, corporate communications, and investor relations, including, but not limited to, our Chief Legal Officer, CIO, CISO, chief accounting officer, controller and senior vice president investor relations and corporate communications. The disclosure committee is actively involved in the review and approval of the Company s SEC filings and has responsibility for considering the materiality of information for such filings and, on a timely basis, determining the disclosure of that information. The CISO briefs the disclosure committee, as necessary, on cybersecurity related matters, which includes information regarding our detection, prevention, mitigation, and remediation of cybersecurity incidents and monitoring of previously evaluated cybersecurity incidents for subsequent changes that might impact conclusions on materiality, and this information is presented to the nominating and corporate governance committee, as appropriate. 80 Table of Con tents

Company Information