BIOMARIN PHARMACEUTICAL INC 10-K Cybersecurity GRC - 2024-02-26

Page last updated on April 11, 2024

BIOMARIN PHARMACEUTICAL INC reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-02-26 13:34:15 EST.

Filings

10-K filed on 2024-02-26

BIOMARIN PHARMACEUTICAL INC filed an 10-K at 2024-02-26 13:34:15 EST
Accession Number: 0001048477-24-000016

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity Risk Management and Strategy We have implemented and maintain various information security processes designed to identify, assess and manage material risks from cybersecurity threats to our critical computer networks, third-party hosted services, communications systems, hardware and software, and our critical data, including, among other things, intellectual property, trade secrets, confidential information that is proprietary, strategic or competitive in nature, and personal data (collectively, Information Systems and Data). Our cybersecurity risk management program leverages the National Institute of Standards and Technology (NIST) cybersecurity framework. Our cybersecurity operations team identifies and assesses risks from cybersecurity threats by monitoring and evaluating our threat environment and the Company s risk profile. We use various methods and security tools designed to help prevent, identify, protect, detect, escalate, respond, and recover from identified vulnerabilities and security incidents in a timely manner. Depending on the technology environment, we implement and maintain various technical, physical, and organizational measures, in the form of policies, standards, processes, and technical capabilities, designed to manage and mitigate material risks from cybersecurity threats to our Information Systems and Data, including, among other things, internal reporting, annual and ongoing cybersecurity awareness training for employees, mechanisms to detect and monitor unusual network activity, as well as threat detection, containment, incident response and backup recovery tools. Our assessment and management of material risks from cybersecurity threats are integrated into the Company s overall risk management processes. As part of such process, we conduct tests of our cybersecurity program on a regular basis that are designed to identify cybersecurity risks associated with our technology environment. We use third-party security service providers and cybersecurity consultants to assist us from time to time to identify, assess, and manage material risks from cybersecurity threats and review our cybersecurity program. Our internal audit team also conducts audits to evaluate the effectiveness of our cybersecurity program and improve our security measures and planning. The results of such reviews are reflected in the cybersecurity risk register and certain members of our senior management evaluates material risks from cybersecurity threats against our overall business objectives and reports to the Audit Committee (Audit Committee) of the Board of Directors (Board), which evaluates our overall enterprise risk, as well as to the full Board. We use third-party service providers to perform a variety of functions throughout our business, such as research collaborators, contract research organizations, contract manufacturers, suppliers, and distributors. Depending on the nature of the services provided, certain providers are subject to cybersecurity risk assessments at the time of onboarding and upon contract renewal. We also use various inputs to assess the risk of our third-party service providers, including information supplied by them. Depending on the sensitivity of the Information Systems and Data at issue, and the identity of the provider, our vendor management process may involve various levels of assessment designed to help identify cybersecurity risks associated with a provider and impose contractual obligations related to cybersecurity on the provider. While we have not, as of the date of this Annual Report on Form 10-K, experienced a cybersecurity incident that resulted in a material adverse impact to our business or operations, there can be no guarantee that we will not experience such an incident in the future. For a description of the risks from cybersecurity threats that may materially affect the Company and how they may do so, please see Risk Factors included in Part I, Item 1A of this Annual Report on Form 10-K, including We rely significantly on information technology systems and any failure, inadequacy, interruption or security lapse of that technology, including any cybersecurity incidents, could harm our ability to operate our business effectively and have a material adverse effect on our business, reputation, financial condition, and results of operations." Governance Our Board has ultimate oversight of cybersecurity risk, which it manages as part of its general risk oversight function. The Board satisfies its responsibility to oversee cybersecurity risk through full reports by the Chair of the Audit Committee chair regarding such committee s considerations and actions, as well as through regular reports directly from officers responsible for oversight of risks. The Audit Committee is responsible for overseeing Company s cybersecurity risk management processes, including oversight and mitigation of risks from cybersecurity threats. The Board and the Audit Committee receives periodic reports, summaries, and presentations from our senior management, including the Chief Information Officer and Global Head of Cybersecurity, concerning the Company s significant cybersecurity threats and risk and the processes the Company has implemented to address them. 53 We recently established the Executive Cybersecurity Committee (ECC), which is comprised of our Chief Financial Officer, Chief Information Officer, Chief Legal Officer, Chief Accounting Officer, and Global Head of Cybersecurity, with the goal of providing oversight of the Company s cybersecurity program. The ECC is responsible for, among other things, evaluating and determining the materiality of cybersecurity incidents as well as reviewing and approving any public disclosures with respect to material cybersecurity incidents. Our cybersecurity incident response policy is designed for our cybersecurity operations team, which is led by our Global Head of Cybersecurity who works in conjunction with the cross-functional incident response team, to escalate certain cybersecurity incidents to the ECC depending on the circumstances. The ECC also has the responsibility of reporting to the Board and/or the Audit Committee. We maintain a Cybersecurity Risk Committee (CRC) that is comprised of management level representatives from key organizations and functions within the Company and led by our Global Head of Cybersecurity. The CRC is responsible for our enterprise-wide cybersecurity risk management framework established by certain members of our senior management, including the review and approval of significant strategies, policies, procedures, processes, controls, and systems designed to identify, assess, monitor, and report the major risk factors facing the Company. In addition, the CRC provides guidance to senior management on risk appetite, risk profile and approves the effectiveness of the Company s enterprise-wide cybersecurity risk framework and such other duties as directed by the Board. The CRC also assists in the oversight of decisions that affect cybersecurity compliance with applicable laws, regulations, and corporate policies. Our cybersecurity risk assessment and management processes are implemented and maintained by certain members of Company management, including the Chief Information Officer, who reports to the CFO. Our Chief Information Officer has nearly 25 years of industry experience and has been with us since 2008. Our Global Head of Cybersecurity has over 25 years of cybersecurity and privacy experience, including serving in similar roles leading and overseeing cybersecurity programs at other public companies.

Company Information