Blueprint Medicines Corp 10-K Cybersecurity GRC - 2024-02-15

Page last updated on April 11, 2024

Blueprint Medicines Corp reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-02-15 17:26:31 EST.

Filings

10-K filed on 2024-02-15

Blueprint Medicines Corp filed an 10-K at 2024-02-15 17:26:31 EST
Accession Number: 0001558370-24-001254

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity Governance Related to Cybersecurity Risks Our management, with involvement and input from our audit committee, performs an annual enterprise-wide risk management (ERM) assessment to identify and manage key existing and emerging risks for our company. Our ERM process seeks to identify both the potential impacts to our company of a particular risk and the likelihood and proximity of any such risk. Our management team is responsible for implementing and overseeing our ERM process. Cybersecurity 92 Table of Contents is among the risks identified for board of directors level risk oversight as a result of our most recent ERM assessment, with our audit committee of the board of directors having been delegated responsibility for overseeing our policies, practices and assessments with respect to cybersecurity and other information technology risks. Our information security team is led by the SVP of IS, who reports to our chief financial officer. Our SVP of IS has over 25 years of experience managing and securing technology infrastructure. The information security team has responsibility for the planning and execution of our processes to manage cybersecurity and other information technology risks. The information security team also institutes and maintains controls for our systems, applications, and databases. The audit committee receives periodic updates on our cybersecurity risks from our information security team, which include biannual presentations on the status of our cybersecurity risk management program by the SVP IS. These reports include updates on our performance preparing for, preventing, detecting, responding to and recovering from cyber incidents, if any. In addition, as needed, management updates the audit committee regarding any material cybersecurity incidents. We have also implemented an annual process for employees to complete security awareness training. Cyber Risk Management and Strategy Our processes to identify, assess, and manage risks presented by cybersecurity threats are based on the National Institute of Standards and Technology Cybersecurity Framework. Our SVP of IS, with support from the information security team, is informed about and monitors the prevention, detection, mitigation, and remediation of cybersecurity risks and incidents through various means, which include leveraging external third parties for security testing. The information security team monitors security alerts from information security research sources and peer networking, and we have implemented processes and technologies for monitoring our networks for exfiltration of sensitive company information. Before contracting with third parties or purchasing third party technology or other solutions that involve exposure to sensitive company information the team assesses vendor risk, including by requesting SOC2 reports and/or security documentation from a vendor, where appropriate, and we receive and review security updates and alerts from these third parties. Penetration testing is performed periodically across our network boundaries to identify issues for remediation. Additionally, we maintain off-site back-ups and disaster recovery plans to restore our information and systems in the event of a disruptive event. The information security team also has processes in place to inform and update management and, as needed, the audit committee about cybersecurity incidents that may pose significant risk to the company. Although risks from cybersecurity threats have to date not materially affected us, our business strategy, results of operations or financial condition, we have, from time to time, experienced threats and security incidents relating to our and our third-party vendors data and systems. For more information, please see Item 1A, Risk Factors.

Company Information