CymaBay Therapeutics, Inc. 10-K Cybersecurity GRC - 2024-02-28

Page last updated on April 11, 2024

CymaBay Therapeutics, Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-02-28 16:31:42 EST.

Filings

10-K filed on 2024-02-28

CymaBay Therapeutics, Inc. filed an 10-K at 2024-02-28 16:31:42 EST
Accession Number: 0001193125-24-050758

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity Risk management and strategy We have implemented and maintain various information security processes designed to identify, assess and manage material risks from cybersecurity threats to our critical computer networks, third party hosted services, communications systems, hardware and software, and our critical data, including intellectual property, confidential information that is proprietary, strategic or competitive in nature, and data amassed from our clinical trials ( Information Systems and Data ). Our information technology department, with the support of our senior management, assesses and manages the Company s cybersecurity threats and risks. Our information technology department leverages third-party service providers to identify cybersecurity threats by monitoring and evaluating our threat environment, and then assesses these risks. We, and/or our third-party service providers, use various methods in identifying and assessing these risks, including, for example, manual and automated tools to identify and combat cybersecurity threats, analyzing reports of threats, conducting scans and assessments of the threat environment and to identify vulnerabilities, the use of detection and response services (including behavioral analytics and machine learning to identify security threats) and conducting reviews of third-party service providers, among other things. We use third-party service providers to assist us from time to time to identify, assess, and manage material risks from cybersecurity threats, including for example penetration testing, threat intelligence, dark web reporting, cybersecurity consulting and software, and professional services for implementation and security architecture. Depending on the environment, we implement and maintain various technical, physical, and organizational measures, processes, standards and policies designed to manage and mitigate material risks from cybersecurity threats to our Information Systems and Data, including, for example, physical security and access controls, asset management, systems monitoring, incident detection and response, risk assessment, the implementation of security standards and certifications, encryption of data, network security controls, and a disaster recovery/business continuity plan, among other mitigation tactics. Our assessment and management of material risks from cybersecurity threats are integrated into the Company s overall risk management processes. For example, our information technology department works with its management and with legal and compliance to evaluate material risks from cybersecurity threats against our overall business objectives, working with other individuals from senior management as needed. Certain cybersecurity issues may then be reported to the board of directors. 61 Table of Contents Moreover, we use third-party service providers to perform a variety of functions throughout our business, such as application providers, hosting companies, contract research organizations and contract manufacturing organizations. Depending on the nature of the services provided, our information technology department may review certain third-party service providers that include the assessment of the service provider s cybersecurity systems and controls. Depending on the nature of the services provided and the identity of the provider, we may impose contractual obligations related to cybersecurity on the provider. For a description of the risks from cybersecurity threats that may materially affect the Company and how they may do so, see our risk factors under Part 1. Item 1A. Risk Factors in this Annual Report on Form 10-K, including in Risks Related to Our Business Operations and Industry . Governance Our board of directors addresses the Company s cybersecurity risk management as part of its general oversight function and is responsible for overseeing the Company s cybersecurity risk management processes, including oversight and mitigation of risks from cybersecurity threats. Our cybersecurity risk assessment and management processes are implemented and maintained by certain Company management, including the management functions of information technology and legal and compliance, who have combined decades of experience in compliance and managing cybersecurity risks. Our information technology department is responsible for hiring appropriate personnel, helping to integrate cybersecurity risk considerations into the Company s overall risk management strategy, communicating key priorities to relevant personnel, and is responsible for approving budgets related to cybersecurity. A wider group of personnel, including the management functions of information technology and legal and compliance, help prepare for cybersecurity incidents, work in conjunction with others to approve cybersecurity processes, and review security assessments and other security-related reports. Our cybersecurity incident response process is designed to escalate certain cybersecurity incidents to members of senior management, depending on the circumstances. Members of senior management may work with the Company s incident response team to help the Company mitigate and remediate cybersecurity incidents of which they are notified. In addition, the Company s incident response process includes reporting to the board of directors for certain cybersecurity incidents. The board receives periodic reports concerning the Company s significant cybersecurity threats and risk and the processes the Company has implemented to address them. The board also receives periodic reports, summaries or presentations related to cybersecurity threats, risk and mitigation.

Company Information