Zai Lab Ltd 10-K Cybersecurity GRC - 2024-02-27

Page last updated on April 11, 2024

Zai Lab Ltd reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-02-27 16:20:27 EST.

Filings

10-K filed on 2024-02-27

Zai Lab Ltd filed an 10-K at 2024-02-27 16:20:27 EST
Accession Number: 0001628280-24-007235

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity Cybersecurity risks are a growing threat to us and other businesses, including our CROs, CMOs, and other third-party providers, which are vulnerable to cyberattacks, malware, and other system failures that may result in unauthorized access, damage, and other harms to our business or reputation. Protecting the confidentiality, integrity, and availability of our business information, intellectual property, customer, patient and employee data, and technology systems is critical to our business and operations, ability to comply with regulatory requirements, and reputation. Accordingly, cybersecurity is an important and integrated part of the Company s enterprise risk management function that identifies, monitors, and mitigates business, operational, and legal risks. Accordingly, we have established cybersecurity standards, policies, and operating procedures, including our Global IT Policy and Information Security Policy and our incident response plan, for the purpose of implementing information protection processes and technologies; carrying out cybersecurity risk detection, identification, assessment, response, and monitoring; assigning responsibility within our organization for risk detection and oversight; implementing cybersecurity training; governing internal communications regarding cybersecurity risks; and making required public and regulatory disclosures regarding cybersecurity threats and incidents. We oversee risks from cybersecurity threats associated with our use of third-party service providers by requiring our vendors to agree that they have and will maintain appropriate cybersecurity controls, such as through standard contractual provisions, and by coordinating with key vendors with respect to integration with our systems. Our cybersecurity risk management program is based on the National Institute of Standards and Technology ( NIST ) framework. -76- Key components of our cybersecurity risk management program include the use of third-party service providers, as appropriate, to assess, test, or otherwise assist with aspects of our security processes. For example, we employed a third-party cyber risk consultant to assess our overall cybersecurity risk framework against NIST standards. We have also engaged third-party experts to perform penetration testing of our IT systems, and we have considered the results of such tests to enhance our cybersecurity systems and controls, as appropriate. Our management, including leaders from our IT, information security, legal, and compliance teams, is responsible for implementing our cybersecurity standards, policies, and operating procedures, under the ultimate oversight of our Chief Operating Officer. We regularly discuss and assess cybersecurity risks as part of our Risk Coordination Council, which brings together senior leaders across the Company to address various risk issues. In addition, our Global Compliance Committee, which is comprised of leaders from senior management, legal, compliance, finance, HR, and internal audit, discusses significant risk issues affecting the Company, including with respect to cybersecurity issues, as appropriate. Members of our information security team, which includes personnel in the United States and China, collectively have decades of experience with information technology and cybersecurity systems, implementation, and oversight in the jurisdictions in which we operate. Under our incident response plan and our related information security policies and procedures, our information security personnel are responsible for promptly notifying senior management, including leaders in our legal and compliance departments, about any new cybersecurity incident or threat that may require management evaluation or response. Our Audit Committee assists our Board in overseeing cybersecurity risk management and the integrity of our information technology systems, processes, and data. Periodically, the Audit Committee reviews and discusses with management, our internal auditor, and, in its discretion, third party vendors or other external experts, the adequacy of security for our information technology systems, processes, and data; our incident response and contingency plans in the event of a breakdown or security breach affecting the security of our information technology systems or data or the information technology systems, processes, and data of our clients; and any new threats or incidents that have or may impact us. The Audit Committee receives reports on the operation of such programs from the Chief Operating Officer, Chief Legal Officer, and/or the IT Department, as appropriate. The Audit Committee also reviews management reports regarding the evolving threat environment, vulnerability assessments, and specific cybersecurity incidents. Periodically, the Audit Committee reports on cybersecurity matters, incidents, and risk oversight to the Board. The Board also receives briefings from management on our cybersecurity risk management program. Although we have not experienced a cyberattack or other cybersecurity incident that has materially affected us, we cannot guarantee that we will not experience cybersecurity incidents that may have a material effect on us in the future. For more information, see Risk Factors Potential cybersecurity threats are changing rapidly and advancing in sophistication. We may not be able to protect our systems and networks, or the confidentiality of our confidential or other information (including personal information), from cyberattacks and other unauthorized access, disclosure, and disruption.

Company Information