MADRIGAL PHARMACEUTICALS, INC. 10-K Cybersecurity GRC - 2024-02-28

Page last updated on April 11, 2024

MADRIGAL PHARMACEUTICALS, INC. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-02-28 06:32:35 EST.

Filings

10-K filed on 2024-02-28

MADRIGAL PHARMACEUTICALS, INC. filed an 10-K at 2024-02-28 06:32:35 EST
Accession Number: 0001628280-24-007376

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity We are increasingly dependent on sophisticated software applications and computing infrastructure to conduct key operations. We depend on both our own systems, networks, and technology as well as the systems, networks and technology of our contractors, consultants, vendors and other business partners. Cybersecurity Program Given the importance of cybersecurity to our business, we maintain a cybersecurity program to support both the effectiveness of our systems and our preparedness for information security risks. This program includes a number of administrative, physical, and technical safeguards. We have conducted and plan to conduct evaluations of our cybersecurity program through periodic internal and external audits, penetration tests, and incident response simulations. We also require cybersecurity trainings when onboarding new employees and contractors/other workforce members, as well as annual cybersecurity awareness training for our employees and contractors/other workforce members. Our program is based on industry frameworks, including the National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF) to strengthen our program effectiveness and reduce cybersecurity risks. We use a risk-based approach with respect to our use and oversight of third-party service providers, tailoring processes according to the nature and sensitivity of the data accessed, processed, or stored by such third-party service provider and performing additional risk screenings and procedures, as appropriate. We use a number of means to assess cyber risks related to our third-party service providers, including vendor questionnaires/conducting due diligence in connection with onboarding new vendors and ongoing reviews / due diligence with key third-party vendors. We also seek to collect and assess cybersecurity audit reports and other supporting documentation when available and include appropriate security terms in our contracts where applicable as part of our oversight of third party providers. Process for Assessing, Identifying and Managing Material Risks from Cybersecurity Threats In the event of a cybersecurity incident, we maintain a regularly tested incident response program. Pursuant to the program and its escalation protocols, designated personnel are responsible for assessing the severity of an incident and associated threat, containing the threat, remediating the threat, including recovery of data and access to systems, analyzing any reporting obligations associated with the incident, and performing post-incident analysis . We have relationships with a number of third-party service providers to assist with cybersecurity containment and remediation efforts. Governance Management Oversight The controls and processes employed to assess, identify and manage material risks from cybersecurity threats are implemented and overseen by our Chief Information Officer ( CIO ). Our CIO has more than 25 years of digital experience in the biopharmaceutical industry and was previously Senior Vice President Digital at Moderna, Inc., where he was responsible for technology leadership and digital transformation across core operations. Our CIO is responsible for the day-to-day management of the cybersecurity program, including the prevention, detection, investigation, response to, and recovery from cybersecurity threats and incidents, and are regularly engaged to help ensure the cybersecurity program functions effectively in the face of evolving cybersecurity threats. Our CIO provides regular briefings for our senior management team on cybersecurity matters, including threats, events, and program enhancements. 53 Table of Contents Board Oversight While the Board of Directors has overall responsibility for risk oversight, our Audit Committee oversees cybersecurity risk matters. The Audit Committee is responsible for reviewing, discussing with management, and overseeing the Company s data privacy, information technology and security and cybersecurity risk exposures, including: (i) the potential impact of those exposures on the Company s business, financial results, operations and reputation; (ii) the programs and steps implemented by management to monitor and mitigate any exposures; (iii) the Company s information governance and cybersecurity policies and programs; and (iv) major legislative and regulatory developments that could materially impact the Company s data privacy and cybersecurity risk exposure. On a quarterly basis, our General Counsel, Chief Financial Officer ( CFO ) and CIO have been and are responsible to report to the Audit Committee on information technology and cybersecurity matters, including key risks, a detailed threat assessment relating to information technology risks, as applicable, the potential impact of those exposures on the Company s business, financial results, operations and reputation, the programs and steps implemented by management to monitor and mitigate exposures, and significant legal developments that could materially impact the Company s cybersecurity risk exposure. Cybersecurity Risks Our cybersecurity risk management processes are integrated into our overall Enterprise Risk Management ( ERM ) process. As part of our ERM process, department leaders identify, assess and evaluate risks impacting our operations across the Company, including those risks related to cybersecurity. While we believe we maintain an effective cybersecurity program, the techniques used to infiltrate information technology systems continue to evolve. Accordingly, we may not be able to timely detect threats or anticipate and implement adequate security measures. For additional information, see Item 1A Risk Factors; A failure of our information technology infrastructure and cybersecurity threats may adversely affect our business and operations. We also maintain cybersecurity insurance providing coverage for certain costs related to cybersecurity-related incidents that impact our own systems, networks, and technology. Since January 1, 2021 (the first date covered by the financial statements presented in this Form 10-K), we have not experienced any material cybersecurity incident.

Company Information