CRISPR Therapeutics AG 10-K Cybersecurity GRC - 2024-02-21

Page last updated on April 11, 2024

CRISPR Therapeutics AG reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-02-21 07:50:50 EST.

Filings

10-K filed on 2024-02-21

CRISPR Therapeutics AG filed an 10-K at 2024-02-21 07:50:50 EST
Accession Number: 0000950170-24-017571

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity. Cybersecurity Risk Management In the ordinary course of our business, we use, store and process data including data of our employees, partners, collaborators, and vendors. We also process anonymized information about participants in clinical trials involving certain of our product candidates. We have implemented a cybersecurity risk management program that is designed to identify, assess, and mitigate risks from cybersecurity threats to this data and our systems. Our cybersecurity risk management program includes a number of components, including information security program assessments and continuous monitoring of critical risks from cybersecurity threats using automated tools. We periodically engage third parties to conduct risk assessments on our systems, including penetration testing and other vulnerability analyses. Our finance department, with the assistance of outside technical advisors, periodically conducts an internal assessment of different systems to assess our risk management processes, including cybersecurity risk management. Additionally, we have implemented an employee education program that is designed to raise awareness of cybersecurity threats, including risks posed by phishing attempts. This training is included during the employee onboarding process and periodically thereafter. As part of our cybersecurity risk management program, we maintain processes to assess and review the cybersecurity practices of third-party vendors and suppliers. Prior to engaging third-party vendors and key suppliers, we conduct a security assessment and, as appropriate, include security requirements in contracts. We, like other companies in our industry, face a number of cybersecurity risks in connection with our business. Although our business strategy, results of operations, and financial condition have not, to date, been materially affected by risks from cybersecurity threats, including as a result of previously identified cybersecurity incidents, we have, from time to time, experienced threats to and security incidents related to our data and systems, including phishing attacks. For more information on our cybersecurity related risks, see Risk Factors Risks Related to Information Security and Privacy Our Internal Information Technology Systems, Or Those Of Our Collaborators Or Other Contractors Or Consultants, May Fail Or Suffer Security Breaches, Which Could Result In A Material Disruption Of Our Product Development Programs . Governance Under the ultimate direction of our chief executive officer, or CEO, and our executive management team (including our General Counsel who serves as our Chief Compliance Officer), with oversight from our Audit Committee of the Board of Directors, or Audit Committee, our Head of Information Technology, or Head of IT, has primary responsibility for assessing, operating and managing our cybersecurity threat management program. Our Head of IT meets periodically with our Chief Compliance Officer to discuss current developments in the cybersecurity landscape and our cybersecurity risk management program, including providing updates regarding the sources and nature of critical risks we face and how the IT department assesses those risks, including the likelihood of such risks, the severity of impact, and progress on vulnerability remediation. Our Chief Compliance Officer and Head of IT consult with other members of our information technology department, and with third parties with expertise in cybersecurity, including a virtual Chief Information Security Officer, or vCISO, to develop strategies to assess, address and align cybersecurity efforts with our business objectives and operational requirements. The Head of IT role is currently held by an individual who has over 20 years of experience with information security and business systems, including digital infrastructure and cybersecurity. The individual currently operating as our vCISO has over 15 years of experience in providing services as an enterprise vCISO across various industries, including life sciences and national defense and has advised various agencies of the U.S. federal government. As part of our Board of Directors , or Board s, enterprise risk management program, our Board has responsibility for oversight of cybersecurity risk management. Our Board has delegated to our Audit Committee oversight of our cybersecurity risk management program, including oversight of information security and cybersecurity threats and related compliance and disclosure requirements. On an annual basis, our Head of IT and vCISO provide an update to our Audit Committee regarding our cybersecurity risk management program, including as relates to critical cybersecurity risks, ongoing cybersecurity initiatives and strategies, and applicable regulatory requirements and industry standards. The Audit Committee periodically reports on cybersecurity risk management to the full Board of Directors. 92

Company Information