Harmony Biosciences Holdings, Inc. 10-K Cybersecurity GRC - 2024-02-22

Page last updated on April 11, 2024

Harmony Biosciences Holdings, Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-02-22 08:00:49 EST.

Filings

10-K filed on 2024-02-22

Harmony Biosciences Holdings, Inc. filed an 10-K at 2024-02-22 08:00:49 EST
Accession Number: 0001558370-24-001466

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity Introduction The global data protection landscape is rapidly evolving, and we may be impacted by or subject to new, amended, or existing laws and regulations in the future, including as our operations continue to expand or if we begin to operate in foreign jurisdictions. The risk of a security breach or disruption or data loss, particularly through social engineering attacks, cyber-attacks, or cyber intrusion, including by computer hackers, foreign governments, and cyber terrorists, has generally increased as the number, intensity and sophistication of attempted attacks and intrusions from around the world have increased. We collect and maintain data and information necessary to conduct our business, and we are increasingly dependent on information technology systems and infrastructure to operate our business, including systems infrastructure operated and maintained by third-party service providers. In the ordinary course of business, we collect, store, and transmit confidential information, including intellectual property, proprietary business information and personal information. It is critical that we do so in a secure manner to maintain the privacy, security, confidentiality, and integrity of such confidential information. We have established physical, electronic, and organizational measures to safeguard and secure our systems and facilities to prevent an information compromise. We rely on commercially available systems, software, tools and monitoring to provide security for our information technology systems and the processing, transmission, and storage of digital information. We have also outsourced elements of our information technology infrastructure, and as a result, a number of third-party vendors may or could have access to our confidential information. 77 Table of Contents The cost to mitigate, investigate and respond to potential security incidents, breaches, disruptions, network security problems, bugs, viruses, worms, malicious software programs and security vulnerabilities could be significant, and while we have implemented security measures to protect our data and information technology systems, our efforts to address these potential risks may not be successful, and could result in unexpected interruptions, delays, cessation of service and other harm to our business and competitive position. If such an event were to occur and cause interruptions in our operations, it could result in a material disruption of our product development programs. For example, the loss of clinical trial data from completed or ongoing or planned clinical trials could delay our regulatory approval efforts and significantly increase our costs as a result of efforts to recover or reproduce the lost data. Moreover, if a real or perceived security breach affects our systems (or those of our third-party service providers), or result in the loss of or accidental, unlawful, or unauthorized access to, use of, release of or other processing of personally identifiable information or clinical trial data, our reputation could be materially damaged. In addition, a breach may require notification to governmental agencies, the media, or individuals pursuant to applicable data privacy and security laws. We would also be exposed to a risk of loss, negative publicity, harm to our reputation, governmental investigation and/or enforcement actions, claims or litigation and potential liability, which could materially adversely affect our business, results of operations and financial condition. Cyber Risk Governance The Audit Committee is a sub-committee of our Board of Directors and is delegated to the role of cyber risk oversight for the Company. Our management team, including the CIO, is responsible for assessing and managing our material risks from cybersecurity threats. The team has primary responsibility for our overall cybersecurity risk management program and supervises both our internal cybersecurity personnel and our retained external cybersecurity consultants. The CIO reports the progress of cyber risk reduction initiatives to the Audit Committee on a periodic basis. The CIO has extensive information technology experience in the corporate environment. Our management team supervises efforts to prevent, detect, mitigate, and remediate cybersecurity risks and incidents through various means, which may include briefings from internal security personnel; threat intelligence and other information obtained from governmental, public or private sources, including external consultants engaged by us; and alerts and reports produced by security tools deployed in the IT environment. In February 2024, we chartered the Information Systems, Data and Cybersecurity Governance Committee (the Cybersecurity Committee ), which is comprised of the Company s business unit leaders and is responsible for the management of our cyber risk exposure and monitoring the effectiveness of the cybersecurity program. The Cybersecurity Committee will report the progress of cyber risk reduction initiatives to our senior leadership and the Audit Committee on a periodic basis. Cyber Risk Management Strategy We have a cyber risk management policy and asset-based cyber risk management methodology for the continuous identification, assessment, and management of our cyber risk exposure. Our cyber risk managers have been trained in our cyber risk management policy and methodology. The methodology is as follows: Maintaining an up-to-date and accurate inventory of all assets (e.g., data, systems, hardware, software, and vendors). Categorization of all assets based on the criticality of the data processed and the assets criticality to the continuity of business operations. A profile is maintained of the most likely threats, their intent, and the impact the threat may have on the confidentiality, integrity, and availability of Company assets. 78 Table of Contents Evaluation of relevant risk-based scenarios or vulnerability of an asset and how a threat may exploit the asset. Implemented security controls or mitigating factors are considered for each scenario. Considering the asset, threat, risk-based scenario or vulnerability, and the mitigating factors, a likelihood and impact determination is made to calculate the final risk level. Risk reduction plans are determined and used to prioritize security program initiatives. Risk mitigations are tracked and monitored in a risk register. There can be no assurance that our cybersecurity risk management program and processes, including our policies, controls or procedures, will be fully implemented, complied with or effective in protecting our systems and information. Cyber Risk Exposure Our top cyber risks have been grouped into genericized categories to avoid disclosure of sensitive information but include sufficient detail for a reasonable investor to understand our cyber risks and maintain confidence we act in good faith to reduce our cyber risk exposure. In the fourth quarter of 2023, we performed a risk analysis of all critical assets, determining the following are our current top cyber risks, none of which are material: Compromise to the confidentiality of intellectual property. Compromise to the confidentiality and integrity of financial records. Compromise to the confidentiality of employee records. Compromise to the confidentiality, integrity, and availability of core business systems. Compromise to the confidentiality, integrity, and availability of critical third-party vendors supporting the continuity of business operations. We have not identified any risks from known cybersecurity threats, including as a result of any prior cybersecurity incidents, that have materially affected us, including our operations, business strategy, results of operations, or financial condition. We face risks from cybersecurity threats that, if realized, are reasonably likely to materially affect us, including our operations, business strategy, results of operations, or financial condition. See Risk Factors We depend on our information technology systems, and any failure of these systems could harm our business. Any real or perceived security breach, loss of data, and other disruptions or incidents could compromise the privacy, security, integrity or confidentiality of sensitive information related to our business or prevent us from accessing critical information and expose us to liability and reputational harm, which could adversely affect our business, results of operations and financial condition. Third Party Risk Management We leverage multiple third parties to support our business operations. Throughout the lifecycle of the vendor relationship, security is integrated as part of each process. We maintain a vendor inventory, categorized based in risk tiers, and perform due diligence of the vendor s security practices commensurate with the risk tier. Vendor contracts and security practices are monitored to ensure an accurate assessment of risk is maintained. Third Party Support of the Cyber Risk Management Program We employ third parties to support our cyber risk management program in the following ways: Use of internal and external auditors to maintain compliance with regulatory requirements. 79 Table of Contents Use of cybersecurity consultants and managed security services providers to supplement the security program practices and evaluate the program s effectiveness, specifically: o Governance, risk, and compliance services. o Penetration testing and vulnerability management. o Continuous security event monitoring. o Data loss prevention. Incident Management We make continuous efforts to maintain the ability to respond quickly and effectively to security incidents to minimize their impact. We implement an incident response policy, incident response plan, and deploy comprehensive continuous security monitoring solutions to monitor events occurring across its assets. Additionally, a material risk determination model enables our cyber incident response team and senior leadership to determine materiality.

Company Information