Royalty Pharma plc 10-K Cybersecurity GRC - 2024-02-15

Page last updated on April 11, 2024

Royalty Pharma plc reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-02-15 09:05:28 EST.

Filings

10-K filed on 2024-02-15

Royalty Pharma plc filed an 10-K at 2024-02-15 09:05:28 EST
Accession Number: 0001802768-24-000012

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. CYBERSECURITY Risk Management and Strategy We have a dedicated team focused on cybersecurity and we maintain a cybersecurity program designed to protect our systems, technology infrastructure, operations and the data entrusted to us by our employees and counterparties. Our cybersecurity program is led by our Chief Technology Officer, who is a part of our senior leadership team and works closely with our team to develop and advance our cybersecurity strategy and regularly reports to our board of directors and the audit committee of our board of directors on cybersecurity matters. Cybersecurity threats are assessed as part of our enterprise risk management assessments. Our cybersecurity strategy includes procedures for identifying material cybersecurity risks, prioritizing risks and analyzing risk mitigation. Our cybersecurity strategy also includes developing and implementing policies and procedures, escalating any issues as necessary that present a material risk and ensuring that all employees have sufficient cybersecurity training. We have engaged consultants and other third parties in connection with our enterprise risk management assessments, including with respect to cybersecurity. We conduct regular testing to identify vulnerabilities before they can be exploited by attackers. We examine and validate our program with third parties, measuring it against industry standards and established frameworks to help identify areas for focus, improvement and compliance. We have comprehensive plans to ensure that any non-routine events are properly escalated. These plans are validated through cyber incident exercises to consider the types of decisions that would need to be made in the event of a cyber incident. We have engaged in scenario planning exercises around cyber incidents with cybersecurity consultants in this process. Our security awareness platform aims to reduce vulnerabilities in our systems if they are the target of phishing or social engineering through simulations of attacks coupled with employee training. We assess third party vendors who have access to our data or systems to measure their adherence to relevant industry practices and standards, including due diligence and monitoring compliance with security assessments. In 2023, we did not identify any risks from cybersecurity threats, including as a result of any previous cybersecurity incidents, that have materially affected or are reasonably likely to materially affect us, including our business strategy, results of operations or financial condition. Despite our efforts, we cannot eliminate all risks from cybersecurity threats, or provide assurance that we have not experienced an undetected cybersecurity incident. For more information about these risks, please see Risk Factors Cybersecurity vulnerabilities or other failures in information systems could result in information theft, data corruption and significant disruption of our business operations. 42 Governance The board of directors has adopted a Cyber Security and Personal Data Breach Policy in order to reflect the importance of appropriate security, processes and procedures to the protection of data and assets, and in an effort to establish a foundation for successful protection against cyber-crime and to minimize any potential negative impacts of a successful cyber-attack. Our cybersecurity program is overseen by our Chief Technology Officer who reports directly to our Chief Executive Officer and periodically briefs the audit committee and the board of directors on our cybersecurity program and cybersecurity issues. Our Chief Technology Officer has over 25 years of professional experience in various roles across multiple industries involving leading strategic technology initiatives. Several of our directors have experience with managing and mitigating cybersecurity and technology risks, which provides our board of directors with insight into such risks and aid in overseeing our information security, operations and systems, as well as our continuing investment in and development of our cybersecurity program. The board of directors receives updates or training, as necessary, on cybersecurity issues from management, experts and legal advisors, as required. The audit committee is responsible for overseeing our enterprise risk management program, which includes consideration of technology and cybersecurity risks. The audit committee receives updates about the results of assessments conducted by outside advisors who provide independent assessments of our technology systems.

Company Information