IONIS PHARMACEUTICALS INC 10-K Cybersecurity GRC - 2024-02-21

Page last updated on April 11, 2024

IONIS PHARMACEUTICALS INC reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-02-21 16:38:27 EST.

Filings

10-K filed on 2024-02-21

IONIS PHARMACEUTICALS INC filed an 10-K at 2024-02-21 16:38:27 EST
Accession Number: 0000874015-24-000116

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity Risk management and strategy We have implemented and maintain various information security processes designed to detect, respond to, recover, and protect our technology ecosystem from cybersecurity threats. These processes are designed to identify, assess, and manage material risks that may result from cybersecurity threats and apply to our critical technologies inclusive of networks, third party hosted services, communications systems, hardware, software, and critical data, including intellectual property and confidential information that is proprietary, strategic, or competitive in nature. 65 Table of Contents Our Information Technology department, led by our Senior Vice President, Information Technology, helps to detect, respond to, and manage cybersecurity threats and risks by monitoring and evaluating our threat environment using various manual and automated tools in certain environments and systems and other methods including, for example: analyzing reports of certain threats and actors; conducting scans of the threat environment; evaluating our and our industry s risk profile; evaluating certain threats reported to us; conducting internal and external audits; conducting threat assessments for certain internal and external threats; and conducting vulnerability assessments to identify vulnerabilities. Depending on the environment and system, we have implemented and maintain various technical, physical, and organizational measures, processes, standards, and policies designed to manage and mitigate material risks from cybersecurity threats to our critical technologies, including, for example: incident response plan; disaster recovery/business continuity plans; risk assessments; encryption of certain data; network security and access controls for certain systems; physical security; asset management, tracking and disposal; systems monitoring; and employee training. Our assessment and management of material risks from cybersecurity threats are integrated into the Company s overall risk management processes. For example, cybersecurity risk is assessed as a component of the Company s enterprise risk management program. In addition, we have developed a process whereby our senior management will evaluate material risks from cybersecurity threats against our overall business objectives and will report certain cybersecurity incidents to the Audit Committee of the Board of Directors, which evaluates our overall enterprise risk. We use third-party service providers to perform various functions throughout our business, such as application providers and hosting companies. We use third-party service providers to assist us from time to time to identify, assess, and manage material risks from cybersecurity threats, including, for example, legal counsel, cybersecurity consultants, cybersecurity software providers, penetration testing firms, and forensic investigators. For a description of the risks from cybersecurity threats that may materially affect the Company and how they may do so, see our risk factors under Part 1. Item 1A. Risk Factors in this Annual Report on Form 10-K, including the risk factor titled We are dependent on information technology systems, infrastructure and data, which exposes us to data security risks . Governance Our Board of Directors addresses the Company s cybersecurity risk management as part of its general oversight function. The Audit Committee of the Board of Directors is responsible for overseeing the Company s cybersecurity risk management processes, including oversight and mitigation of risks from cybersecurity threats. Our cybersecurity risk assessment and management processes are implemented and maintained by our Senior Vice President, Information Technology, who is an information technology professional with healthcare and digital certifications and has over 25 years of relevant experience, and other employees in our Information Technology department who are certified security professionals and have relevant experience. Our Senior Vice President, Information Technology is responsible for hiring appropriate personnel, helping to integrate cybersecurity risk considerations into the Company s overall risk management strategy, communicating key priorities to relevant personnel, helping prepare for cybersecurity incidents, approving cybersecurity processes, and reviewing security assessments and other security-related reports. Our cybersecurity incident response plan is designed to escalate cybersecurity incidents, depending on the circumstances, to our senior management team and Audit Committee of the Board of Directors. As part of such process, the Audit Committee of the Board of Directors receives regular reports from our Senior Vice President, Information Technology concerning the Company s significant cybersecurity threats and risks and the processes the Company has implemented to address them. 66 Table of Contents

Company Information