BridgeBio Pharma, Inc. 10-K Cybersecurity GRC - 2024-02-22

Page last updated on April 11, 2024

BridgeBio Pharma, Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-02-22 16:27:58 EST.

Filings

10-K filed on 2024-02-22

BridgeBio Pharma, Inc. filed an 10-K at 2024-02-22 16:27:58 EST
Accession Number: 0000950170-24-018811

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBERSECURITY Cybersecurity Risk Management We have implemented an information security program that is informed by, and incorporates elements of, industry standards and frameworks, including those issued by NIST (National Institute of Standards and Technology), ISO (International Organization for Standardization), and CIS (Center for Internet Security). Our security program is designed to identify, assess, manage, mitigate, and respond to cybersecurity threats. Our cybersecurity risk management program includes a number of components, such as information security program assessments and ongoing monitoring of critical risks from cybersecurity threats using automated tools. We periodically engage third parties to conduct risk assessments and testing of our systems, including penetration testing and other vulnerability analyses. Additionally, we have implemented an employee education program that is designed to raise awareness of cybersecurity threats, including risks posed by phishing attempts. We have implemented a process for this training to be included during the employee onboarding process and periodically thereafter. As part of our cybersecurity risk management program, we maintain processes to assess and review the cybersecurity practices of third-party vendors and service providers. Our process includes a security assessment informed by vendor questionnaires and contractual security requirements related to data privacy for certain vendors. We, like other companies in our industry, face a number of cybersecurity risks in connection with our business. Although our business strategy, results of operations, and financial condition have not, to date, been materially affected by risks from cybersecurity threats, including as a result of previously identified cybersecurity incidents, we have, from time to time, experienced threats to and security incidents related to our data and systems, including phishing attacks and attacks to the security of the systems of our third-party vendors and service providers. For more information on our cybersecurity related risks, see Our internal computer systems, or those used by our third-party collaborators, contractors or consultants, may fail or suffer security breaches, which could result in a material disruption of our development programs and business operations in Item 1A- Risk Factors. Governance Our internal information security team is responsible for day-to-day operations related to our cybersecurity risk management strategy, including identifying, assessing, and managing cybersecurity threats and risks. We established a process that intends for our Incident Response Team to respond to and address incidents as they arise. The Incident Response Team is multidisciplinary and comprised of members of our information technology and security function, 114 accounting and finance department, and legal department. This team is led by our Director of Security and Network Infrastructure. The Director of Security and Network Infrastructure role is currently held by an individual who has approximately twenty (20) years of information technology and ten (10) years of information security related experience. The Incident Response Team provides periodic reports to our Data Privacy and Security Committee, as well as our Chief Executive Officer and other members of our senior management, as appropriate. These reports include updates on the Company s cybersecurity risk management program, assessments of current cybersecurity risks, and status updates for projects designed to enhance our information security systems. Our Data Privacy and Security Committee meets to further discuss such items on a monthly basis and reports periodically to the Audit Committee of the Board of Directors. Our Board of Directors, as a whole and through its committees, has oversight responsibility over the Company s strategy and risk management, including our response to critical risks related to cybersecurity threats. The Audit Committee of the Board of Directors specifically oversees the management of enterprise risks, including risks associated with privacy and data security (including cybersecurity), in accordance with its charter. The Audit Committee engages in periodic discussions, on at least a bi-annual basis, with a member of the Data Privacy and Security Committee as well as members of legal and executive leadership as appropriate regarding the Company s significant financial risk exposures and the measures implemented to monitor and control these risks, including those that may result from critical cybersecurity threats. Executive leadership periodically reports on critical cybersecurity risks and risk management to the full Board of Directors.

Company Information