SUPERNUS PHARMACEUTICALS, INC. 10-K Cybersecurity GRC - 2024-02-27

Page last updated on April 11, 2024

SUPERNUS PHARMACEUTICALS, INC. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-02-27 16:14:59 EST.

Filings

10-K filed on 2024-02-27

SUPERNUS PHARMACEUTICALS, INC. filed an 10-K at 2024-02-27 16:14:59 EST
Accession Number: 0001356576-24-000013

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBERSECURITY. Cybersecurity Our business depends on information technology systems and networks, which we protect from cyber threats that could harm our data, operations, and reputation. We have invested in security measures designed to safeguard the data of our customers and employees, prevent, detect, and respond to cyberattacks, and comply with data privacy requirements. Cybersecurity Governance Our approach to cybersecurity begins with our responsibility for strong governance and controls. Security begins at the top of our organization, where Company leadership consistently communicates the requirements for vigilance and compliance throughout the organization, and then leads by example. We use a risk-based and layered approach to prevent, detect, and respond to cyberattacks, and leverage external partnerships for threat intelligence. Our management is responsible for risk identification, risk management and risk mitigation strategies associated to cybersecurity related information technology risks, including fully documenting our cybersecurity policies and procedures and cybersecurity risk management program as well as implementing a cybersecurity risk management program and ensuring compliance with our cybersecurity policies and procedures. Our Senior Vice President of Quality, GMP Operations, and Information Technology leads our Information Technology team, which includes experienced and information security professionals and has expertise in various aspects of cybersecurity, such as network security, data protection, incident response, threat intelligence, and security awareness. Our Information Technology Team s expertise is supplemented by external consultants who provide specialized services and independent assessments of our cybersecurity posture and capabilities. Management has appointed a Cybersecurity Incident Response Team (the CSIRT ) which is operationally responsible for coordinating, executing, and managing cybersecurity incident response activities. The CSIRT is comprised of experienced information security personnel from our Information Technology team. The CSIRT s responsibilities include, among other things, incident identification and escalation to designated members of management. Among the designated members of management who are required to be notified are our Chief Executive Officer and our Chief Financial Officer. Our Board of Directors has appointed its Audit Committee as its primary body to oversee management s risk identification, risk management and risk mitigation strategies related to cybersecurity related information technology risks. 66 Table of Contents ITEM 1A. RISK FACTORS. Members of our management who have responsibility for designing and implementing our risk management processes are required to meet periodically with the Audit Committee regarding our policies, processes, procedures and any significant development related to the identification, management and mitigation of cybersecurity risks. The Audit Committee s primary oversight of management s cybersecurity risk management efforts is supplemented by our full Board, which is required to receive, on an annual basis an update from management on any significant developments related to the identification, management and mitigation of cybersecurity risks. Cybersecurity Risk Identification and Management As part of management s initiative to enhance our information security program, during 2023 our program underwent an internal audit, which was supported by an international firm experienced in auditing such programs. The results of the audit are being used by management to supplement previously planned enhancements. Management, with the assistance of third-party experts, is developing and implementing governance-related enhancements to its cybersecurity risk management program. A significant aspect of that process involves fully documenting policies, standards and procedures and developing others, including personnel training requirements, threat monitoring, detection, and containment standards, risk assessment processes, standards for third-party penetration testing, and standards for third-party vendor security requirements. Management expects that the program will continue to adapt and incorporate new techniques and procedures in an effort to combat evolving and novel cybersecurity threats. Our current cybersecurity risk management program includes the following key elements: Cybersecurity risk mitigation: We utilize various measures, tools and controls to prevent, detect, and mitigate cyberattacks, such as firewalls, antivirus software, encryption, authentication, backup, and recovery. We also adopt a defense-in-depth approach that layers multiple security mechanisms across our information systems and networks, such as perimeter, endpoint, application, and data security. We monitor and test our security measures and controls, and we update and enhance them as needed to address new and emerging cyber threats and vulnerabilities. We also rely on specialized services or tools from third-party vendors and software companies including network monitoring, threat, incident and breach identification and data security and backup services. For third-party service providers whose software or personnel have access to our systems, we review their security audit reports prior to the commencement of their services. Cybersecurity risk response: The Company s Executive Management, which is led by our CEO and includes leaders from across the Company s departments, is responsible for providing the necessary resources, support, and authority for the CSIRT to carry out their responsibilities effectively. Our Executive Management team is accountable for making critical decisions in response to an incident. The CSIRT is operationally responsible for coordinating, executing, and managing incident response activities. Both our Executive Management team and CSIRT receive regular training on information security topics. Cybersecurity education and training: We provide regular and mandatory cybersecurity education and training to our employees, contractors, and other authorized users of our information systems and networks, to raise their awareness and understanding of cyber risks and their responsibilities for protecting our information systems and data. We also conduct periodic phishing and social engineering campaigns to test and reinforce the cybersecurity behavior and culture of our users. We also ensure our suppliers and other business partners, meet our cybersecurity expectations and requirements. We are committed to maintaining and improving our cybersecurity risk management program as our business and the cybersecurity threat environment evolves. Because no cybersecurity program can ensure an incident will not occur, we have established business continuity, contingency and recovery plans to be used if we experience a cybersecurity incident, and obtained cyber insurance coverage to mitigate the potential losses and liabilities arising from cyber incidents. Cybersecurity Incidents On November 24, 2021, we announced that we were the target of a ransomware attack. The attack had no significant impact on our business and did not cause any long-term disruption to our operations. After verifying redundant off-site data backups had not been compromised by the ransomware attack, the backups were utilized to restore the data encrypted by the criminal groups. While the Company has not been the subject of any legal proceedings involving the attack, the likelihood that the Company could be the subject of claims from persons alleging they suffered damages from the incident or actions by governmental authorities is possible, but the amount of such fines, penalties or costs, if any, cannot be estimated at this time. In 67 Table of Contents ITEM 1A. RISK FACTORS. response to the 2021 ransomware attack, we accelerated previously planned information technology investments in ways designed to improve our information security and technology infrastructure. We have incurred costs since 2021 and expect to continue to incur costs as we continue to invest in our information security and technology infrastructure. Despite our security measures, our information technology and infrastructure may be vulnerable to cybersecurity incidents in the future, and our insurance may be inadequate to mitigate the potential losses and liabilities arising from such an incident. For additional information regarding cybersecurity risks we face, see Item 1A. Risk Factors - Cybersecurity incidents may adversely impact our financial condition, results of operations, and reputation. Security breaches and other disruptions could compromise our information and expose us to liability which would cause our business and reputation to suffer.

Company Information