SpringWorks Therapeutics, Inc. 10-K Cybersecurity GRC - 2024-02-27

Page last updated on April 11, 2024

SpringWorks Therapeutics, Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-02-27 06:51:44 EST.

Filings

10-K filed on 2024-02-27

SpringWorks Therapeutics, Inc. filed an 10-K at 2024-02-27 06:51:44 EST
Accession Number: 0001773427-24-000010

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity In a highly competitive, regulated industry, where we are responsible for managing and securing confidential information, such as clinical trial results, clinical subject data, patient support program information, collaboration data, trade secrets and other confidential, non-public information, such as company plans and strategies, we recognize the importance of information security practices designed to protect the confidentiality, integrity, and availability of such information. Accordingly, the foundation of our cybersecurity program consists of appropriate governance and controls designed to assess, identify, and manage cyber risks, and is considered to be an important part of the Company s broader enterprise risk management program. Cybersecurity Governance Responsibility for cybersecurity risk management is driven by Company leadership who are responsible for communicating the requirements for vigilance and compliance throughout the organization. The cybersecurity program is led by our Vice President of Information Technology ( VP of IT ), who reports to the Chief Financial Officer and has over 25 years of experience building, implementing and managing information systems, including the development and deployment of risk mitigation strategies for such systems. The VP of IT is a member of and works in conjunction with other leaders of the Company s Cyber Governance Committee, which is responsible for oversight of the Company s cybersecurity program. The Cyber Governance Committee comprises cross-functional members of management, and in addition to the VP of IT, includes the Company s Chief Compliance Officer, Chief of Staff, and Chief Accounting Officer. Together, these individuals meet periodically to align cybersecurity and privacy strategy with business needs and risk appetite, monitor the execution of key cybersecurity initiatives, and serve as an escalation point for any related issues. Members of the Cyber Governance Committee provide quarterly updates to the Audit Committee of our Board of Directors, annual updates to the Board of Directors, and regular reports to the Company s executive leadership team about the cyber program, including information about the status of ongoing efforts to enhance cybersecurity effectiveness. The Board of Directors also receives cybersecurity awareness training. Cybersecurity Risk Management and Strategy Our cybersecurity risk management program is informed by industry standards, intended to address the fundamental principles of information security. Our program leverages the expertise of third-party information technology providers and solutions, and includes periodic simulated attacks, penetration testing, third-party risk evaluations, and threat monitoring to identify, assess, and mitigate cybersecurity risks a formalized incident response and notification plan that establishes an organizational framework and guidelines to assist us in identifying, responding to, and recovering from cybersecurity incidents. The Company performs assessments of certain third-party vendors prior to establishing a business relationship as part of our efforts to evaluate whether such vendors demonstrate appropriate commitments related to data security, availability, and confidentiality. This process is designed to be calibrated to the identified risk level associated with each vendor. We also educate with our employees to raise awareness of cybersecurity threats and best practices. As part of our onboarding process, we train all new employees on cybersecurity and maintain an annual retraining for all employees on cybersecurity standards and best practices, such as how to recognize and respond to phishing and social engineering schemes, which is supported by periodic phishing testing and training. We also have additional specific and regular training for our IT professionals.

Company Information