BICYCLE THERAPEUTICS plc 10-K Cybersecurity GRC - 2024-02-20

Page last updated on April 11, 2024

BICYCLE THERAPEUTICS plc reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-02-20 07:19:32 EST.

Filings

10-K filed on 2024-02-20

BICYCLE THERAPEUTICS plc filed an 10-K at 2024-02-20 07:19:32 EST
Accession Number: 0001558370-24-001324

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBERSECURITY. Risk management and strategy We have implemented and maintain various information security processes designed to identify, assess and manage material risks from cybersecurity threats to our critical computer networks, third-party hosted services, communications systems, computer hardware and software, and our critical data includes proprietary, confidential and sensitive data, including, without limitation, personal data (such as health-related data), intellectual property and trade secrets (collectively Information Assets ). Accordingly, we maintain certain risk assessment processes intended to identify cybersecurity threats, determine their likelihood of occurring, and assess potential material impact to our business. Based on our assessment, we implement and maintain risk management processes designed to protect the confidentiality, integrity, and availability of our Information Assets and mitigate harm to our business. Risks from cybersecurity threats are among those that we address in our general risk management program. We rely on a multidisciplinary team (including personnel from our information security function, management and third-party service providers, as needed, as described further below) to help identify, assess and manage our risks. We identify and assess such threats by, among other things, monitoring and evaluating the threat environment using various methods, including, for example, manual and automated tools, information security tools and platforms to alert us to potentially unwarranted activity on our networks, subscribing to reports and services that identify cybersecurity threats, analyzing reports of threats and actors, conducting scans of the threat environment, evaluating our and our industry s risk profile, evaluating threats reported to us, conducting threat assessments for internal and external threats, and conducting risk and vulnerability assessments to identify vulnerabilities. Depending on the environment, we implement and maintain various technical, physical and organizational measures, processes, standards and policies designed to manage and mitigate material risks from cybersecurity threats to our Information Assets. For example, the risk management and reduction measures we implement for certain of our Information Assets include: policies and procedures designed to address cybersecurity threats, including an incident response plan, vulnerability management, and disaster recovery/business continuity plans; incident detection and response solutions; internal and/or external audits to assess our exposure to cybersecurity threats; documented risk assessments; implementation of certain security standards/certifications; encryption of data; network security controls; data segregation; physical and electronic access controls; physical security; asset management, tracking and disposal; systems monitoring; employee security training; penetration testing; and cyber insurance. In addition to the above, management obtains a third-party review and formal certification of its information management system policies and procedures, which has been collated into an Information Security Management System (ISMS) which is maintained to ISO27001 standards. We work with third parties from time to time that assist us to identify, assess, and manage cybersecurity risks, including professional services firms, threat intelligence service providers, cybersecurity consultants, cybersecurity software providers, managed cybersecurity service providers, penetration testing firms and other vendors that help to identify, assess, or manage cybersecurity risks. To operate our business, we utilize certain third-party service providers to perform a variety of functions, such as outsourced business critical functions including contract research organizations, or CROs, for managing clinical trials, professional services, SaaS platforms, managed services, property management, cloud-based infrastructure, data center facilities, content delivery to customers, encryption and authentication technology, corporate productivity services, and other functions. We generally engage reliable, reputable service providers that maintain cybersecurity programs. Depending on the nature of the services provided, the sensitivity and quantity of information processed, and the identity of the service provider, our vendor management process may include reviewing the cybersecurity practices of such provider, contractually imposing obligations on the provider related to the services they provide and/or the information 106 Table of Contents they process, conducting security assessments, requiring their completion of written questionnaires regarding their services and data handling practices, and conducting periodic re-assessments during their engagement. For service providers that provide particularly critical services to us or process particularly sensitive information for us, we may also require that such providers possess at least one of the following certificates, reports, or procedures: SOC 2 Type 2; ISO 27001; annual penetration tests; and/or red/blue team tests. For a description of the risks from cybersecurity threats that may materially affect us and how they may do so, see our risk factors under Part 1. Item 1A. Risk Factors in this Annual Report on Form 10-K, including the risk factor titled: Cyber-attacks or other failures in telecommunications or information technology systems and deficiency in our, or those of third parties upon which we rely, cybersecurity could result in information theft, data corruption and significant disruption of our business operations . Governance Our cybersecurity risk management strategy relies on input from management, including our Vice President, Technology & Information Security, who reports directly to our Chief Operating Officer, and has over ten years of experience in developing and implementing cybersecurity strategies for companies in the biopharmaceutical industry, as well as our Chief Financial Officer and General Counsel. We have also formed an Information Risk Assessment Committee, or IRAC, consisting of senior members of the finance, legal, operations and information technology functions, to oversee the management of information security as a whole, including integrating cybersecurity considerations into the company s overall risk management strategy, and for communicating key priorities to employees. The IRAC meets on a regular basis, generally quarterly, to discuss cybersecurity risk and to review our cybersecurity program. Our cybersecurity incident response and vulnerability management processes are designed to escalate certain cybersecurity incidents to members of management depending on the circumstances, including our incident response team, which includes, but is not limited to, our Vice President, Technology & Information Security, General Counsel and Chief Financial Officer. In addition, our incident response processes include reporting to the Audit Committee of the board of directors for certain cybersecurity incidents. Management, including the IRAC, is also responsible for approving budgets, helping prepare for cybersecurity incidents, responding to cybersecurity incidents, approving cybersecurity policies and procedures, reviewing audit reports, and reporting to the board of directors. Our board of directors oversees our risk management strategy with respect to cybersecurity threats. The board, through its Audit Committee, holds regular meetings, at least quarterly, to discuss issues including our cybersecurity threats. The meetings involve presentations and reports from our management, including our Vice President, Technology & Information Security, concerning our significant cybersecurity threats and risks and the processes we have implemented to address them.

Company Information