CODEXIS, INC. 10-K Cybersecurity GRC - 2024-02-28

Page last updated on April 11, 2024

CODEXIS, INC. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-02-28 16:37:17 EST.

Filings

10-K filed on 2024-02-28

CODEXIS, INC. filed an 10-K at 2024-02-28 16:37:17 EST
Accession Number: 0001200375-24-000009

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBERSECURITY Risk Management and Strategy In the normal course of business, we may collect and store personal information and other sensitive information, including proprietary and confidential business information, trade secrets, intellectual property, sensitive third-party information and employee information. We assess and identify cybersecurity risk to such information by maintaining cybersecurity policies that require continuous monitoring and detection programs and network security precautions. Our program incorporates industry-standard frameworks, policies and practices designed to protect the privacy and security of our sensitive information. We manage cybersecurity risks by maintaining various protections designed to safeguard against cyberattacks, including firewalls and virus detection software, and periodic end user training on common cybersecurity threats (e.g. phishing exercises and interactive trainings). We have established our disaster recovery plan and we protect against business interruption by backing up our major systems. In addition, we periodically scan our environment for any vulnerabilities, perform penetration testing and engage third parties to assess effectiveness of our data security practices. A third party security consultant conducts regular network security reviews, scans and audits, and we may consult with other external experts as warranted by a particular cybersecurity incident or threat. In addition, we maintain insurance that includes cybersecurity coverage. Areas of cybersecurity risk are assessed bi-annually, and updates are reported by our Vice President of Information Technology ( VP IT ) to the Board s Audit Committee and senior management annually. Where our bi-annual cybersecurity risk assessment identifies areas for improvement, we document and track our remediation activities, which are also reported to the Audit Committee and senior management annually. In this way, our program to manage cybersecurity risk integrates with our overall risk management processes. With respect to third parties who provide services affecting critical business management systems, we collect and maintain SOC2 type II reports (attestation of controls at a service organization over a minimum six-month period). For other third-party service providers, cybersecurity risk is addressed as appropriate. As of the date of this report, we are not aware of any risks from cybersecurity threats that have materially affected or are reasonably likely to materially affect us, including our business strategy, results of operations and financial condition. Despite the implementation of our cybersecurity program, our security measures cannot guarantee that a significant cyberattack will not occur. A successful attack on our information technology systems could have significant consequences to the business. While we devote resources to our security measures to protect our systems and information, these measures cannot provide absolute security. See Risk Factors General Risk Factors for additional information about the risks to our business associated with a breach or compromise to our information technology systems. Governance The Company s Board of Directors has visibility into cybersecurity risks through its Audit Committee and through the process described below. The Audit Committee has oversight of the Company s cybersecurity risk management programs and the design and operating effectiveness thereof, and reviews reports from Company management on cybersecurity, data privacy and other risks relevant to the Company s computerized information system controls and security. Areas of cybersecurity risk are assessed bi-annually, and updates are reported by the VP IT to the Audit Committee and senior management annually. Where our bi-annual cybersecurity risk assessment identifies areas for improvement, we document and track our remediation activities, which are also reported to the Audit Committee and senior management annually. Senior management has appointed a Cybersecurity Council that is responsible for identifying, escalating, and facilitating the assessment and determination of the materiality of cybersecurity incidents and threats. The Cybersecurity Council is made up of representatives of IT, Legal and Finance, as well as ad hoc additional members depending on the circumstances of the incident or threat. The members of the Cybersecurity Council do not have specific expertise in cybersecurity risk other than the VP IT who has more than 20 years of experience, and engages with trusted third-party experts for support and guidance when additional expertise is required. Prior to joining Codexis, our VP IT has managed cybersecurity functions, where he was responsible for overseeing cybersecurity strategy and operations, including incident response, threat intelligence, security awareness training programs, risk assessments and remediation, and regulatory and compliance matters. 44 An actual or suspected cybersecurity incident that jeopardizes the confidentiality, integrity, or availability of Codexis’ information systems or any information residing therein (or threat that presents significant risk to our information systems as identified by IT) is reported to the Cybersecurity Council by our IT Department. The focus of the Cybersecurity Council is on the investigation and facilitation of senior management s assessment and determination of materiality of an incident or threat, and such investigation is separate but contemporaneous with the investigation(s) done under other applicable programs, policies, and plans regarding cybersecurity. The Cybersecurity Council will liaise directly with other investigation(s) and share information and assessments. Along with assistance from the Cybersecurity Council as necessary, senior management reports its materiality determination and analysis, including necessary facts to support its determination, to the Audit Committee of the Board of Directors. Pursuant to its charter, the Audit Committee may, along with senior management, report such determination to the Board of Directors.

Company Information