Relay Therapeutics, Inc. 10-K Cybersecurity GRC - 2024-02-22

Page last updated on April 11, 2024

Relay Therapeutics, Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-02-22 16:16:44 EST.

Filings

10-K filed on 2024-02-22

Relay Therapeutics, Inc. filed an 10-K at 2024-02-22 16:16:44 EST
Accession Number: 0000950170-24-018797

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybe rsecurity. Cyber Risk Management and Strategy We have implemented and maintain a cybersecurity risk management program that includes processes for the identification, assessment and mitigation of cybersecurity risks. This process is overseen by the Director of IT Operations and Information Security, or the IT Director, and includes periodic security assessments, audits, and testing, which are informed by industry standards and supported by cybersecurity technologies, including automated tools, designed to monitor, identify and address cybersecurity risks. We periodically engage with third parties to support these efforts. We maintain internal information security policies, including an incident response plan, which are reviewed by or at the direction of the IT Director and are updated periodically to reflect material changes and improvement in our information security practices. We have a process to assess and 83 review the cybersecurity practices of third-party vendors and service providers prior to onboarding and periodically throughout the engagement, including through vendor questionnaires and contractual requirements, as appropriate. Governance Related to Cybersecurity Risks The IT Director oversees and manages the day-to-day functions of our cybersecurity risk management program. The IT Director reports to the VP of Information Technology and Facilities, or VP of IT. The IT Director and VP of IT roles are both held by individuals who each have over twenty years of professional information technology, or IT, management experience. The VP of IT meets regularly with the Audit Committee to report on and discuss information security and technology risks to our business, including our cyber risk management programs, controls and procedures. The VP of IT and the Audit Committee also conduct a high-level review of the threat landscape facing our business, discuss risk mitigation strategies and the prioritization of our remediation efforts. The IT Director meets periodically with members of the Relay Information Security Council, or RISC, which is comprised of the VP of IT and senior leaders from various functions, including finance, legal, human resources, corporate development and research and development. The RISC provides input to the IT Director in connection with proposed cyber strategies as it relates to potential business impacts from new or proposed technologies and security solutions across the organization, including implementation strategies designed to address potential risks and disruptions to the business. In the event we or one of our business partners experiences a cybersecurity incident, the RISC is responsible for assisting in evaluating the incident, including whether any disclosure of the incident is required. The VP of IT reports to the Audit Committee on cyber initiatives and implementation resulting from RISC discussions. Through the Audit Committee, the Board of Directors is informed of: (i) security initiatives, (ii) existing and emerging cybersecurity risks, including cybersecurity incidents; and (ii) any disclosure obligations arising from any cybersecurity incidents. The Board of Directors oversees our general risk management strategy and the most significant risks facing our business, and is responsible for ensuring that appropriate risk mitigation strategies are implemented.

Company Information