Mersana Therapeutics, Inc. 10-K Cybersecurity GRC - 2024-02-28

Page last updated on April 11, 2024

Mersana Therapeutics, Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-02-28 08:49:00 EST.

Filings

10-K filed on 2024-02-28

Mersana Therapeutics, Inc. filed an 10-K at 2024-02-28 08:49:00 EST
Accession Number: 0001628280-24-007407

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBERSECURITY. Cybersecurity Risk Management and Strategy We have designed and maintain a cybersecurity risk management program that is integrated into our overall enterprise risk management program and with other related functions, such as information technology, or IT, system architecture and vendor management; that leverages best practices and standards and that is designed to assess, identify and manage risks from cybersecurity and other information security threats. As part of this program, we periodically evaluate risks from cybersecurity threats as part of our broader risk management activities and as a component of our internal control system. In the course of our evaluation, we consider risks that may be associated both with our internally managed information technology, or IT, systems and key business functions and with sensitive data operated or managed by third-party service providers, vendors and collaborators with whom we engage. We use the National Institute of Standards and Technology Cybersecurity Framework, or NIST CSF, as a guide to help us identify, assess and manage cybersecurity risks relevant to our business. We have designed and assessed our program based on the NIST CSF. This does not imply that we meet any particular technical standards, specifications or requirements. Our cybersecurity risk management program is integrated into our overall enterprise risk management program, and shares common methodologies, reporting channels, and governance processes that apply across the enterprise risk management program to other legal, compliance, strategic, operational, and financial risk areas. As part of our overall risk mitigation strategy, we also maintain cyber insurance coverage; however, such insurance may not be sufficient in type or amount to cover us against claims related to security breaches, cyberattacks and other relate breaches. Key aspects of our cybersecurity risk management program include: risk assessments designed to help identify material cybersecurity risks to our critical systems, and information; dedicated personnel principally responsible for managing our cybersecurity risk assessment processes, our security controls and our response to cybersecurity incidents; the conduct of regular exercises and tests of our own systems to help discover potential vulnerabilities; the use of external service providers, where appropriate, overseen by our IT team, to assist with assessing our systems, monitoring cybersecurity threats, including the proactive identification of vulnerabilities in our systems with threat intelligence, and our defenses against cyberattacks and providing timely cybersecurity threat alerts; new-hire, annual and ad hoc cybersecurity awareness training for our employees, incident response personnel and senior management; a cybersecurity incident response plan, or the Response Plan, that includes procedures for responding to cybersecurity incidents; and a third-party risk management process, overseen by our IT team, for key service providers, vendors and collaborators, including a due diligence process that involves the completion of security questionnaires and risk assessments, as appropriate, on third parties who maintain material data or information to help us evaluate and verify third party information security capabilities. Our Response Plan sets forth our response protocol for cybersecurity threats and cybersecurity events and incidents and is maintained by our cybersecurity incident response team, or CSIRT, which reviews the Response Plan on at least an annual basis. The CSIRT is comprised of IT department leaders, including our Vice President, Information and Technology, who reports to our Senior Vice President, Chief Operating Officer and Chief Financial Officer, as well as members of our executive team and other senior management. Our Response Plan is designed to provide a framework for how we identify, evaluate, escalate, respond and recover in the event of a data security breach and designates personnel who are responsible for these functions. Our IT team, utilizing the support of external vendors and software products, evaluates security alerts received from various sources, and any alert or threat that the CSIRT identifies as a cybersecurity incident is promptly evaluated and escalated in accordance with the Response Plan for further assessment. Upon confirmation that a cybersecurity incident has occurred, our 103 Table of Contents CSIRT will establish an incident response team, which may include representatives from our internal departments, as well as internal or external legal counsel or other external cybersecurity consultants or service providers. The CSIRT aims to develop a coordinated response strategy, including with respect to risk containment, notification processes, system restoration, incident documentation and assessment, data preservation and forensic analysis. Our Response Plan is designed to ensure that cybersecurity incidents that have had or are reasonably likely to have a material effect on our business strategy, financial condition, and results of operations are promptly escalated to relevant executive officers, including our Senior Vice President, Chief Legal Officer, for further assessment of potential materiality and, if appropriate, notification to other members of our senior management team, the chairperson of the audit committee of our board of directors, or the Audit Committee, and the full board of directors, as needed, and preparation and dissemination of public disclosure. Cybersecurity threats have not materially affected our business strategy, results of operations or financial condition to date, but we, our collaborators and our third-party vendors and service providers may in the future be the target of cybersecurity threats, any of which could have a material adverse effect on our business. For a description of the cybersecurity risks we face and potential related impacts on us, see Risk Factors in Part I, Item 1A of this Annual Report on Form 10-K. Cybersecurity Governance and Oversight Our board of directors considers cybersecurity risk as part of its risk oversight function and has delegated to the Audit Committee oversight of cybersecurity and other information technology risks. Our Audit Committee oversees management s ongoing activities related to our cybersecurity risk management program. Our Audit Committee receives and provides feedback regarding periodic reports from management on our cybersecurity risks. In addition, management updates the Audit Committee, as necessary, regarding significant cybersecurity threats or incidents. Our Audit Committee reports to the full board of directors regarding its activities, including those related to cybersecurity. The full board of directors also receives briefings from our executive team, informed by our Vice President, Information & Technology, on our cybersecurity risk management program, on a periodic basis. Our executive team, including our Senior Vice President, Chief Operating Officer and Chief Financial Officer and our Senior Vice President, Chief Legal Officer, is responsible for assessing and managing our material risks from cybersecurity threats. The executive team has primary responsibility for our overall cybersecurity risk management program. Our Senior Vice President, Chief Operating Officer and Chief Financial Officer supervises our Vice President, Information and Technology, who leads the operational oversight of our company-wide cybersecurity strategy, policy, standards and processes and works across relevant departments to assess and help prepare our company and our internal cybersecurity personnel and retained external cybersecurity advisors to address cybersecurity risks. Our Vice President, Information & Technology has over 25 years of experience managing IT and cybersecurity programs, including two decades of experience implementing endpoint security, network security, incident response plans and end user training programs. Our internal cybersecurity personnel collectively have experience in cybersecurity, information security, data protection, privacy, regulatory compliance and risk management within complex and international business verticals, such as pharmaceuticals/biotechnology, technology, telecommunications and financial services, and hold several related third-party certifications related to information systems management and security. Our executive team is informed about and monitors the prevention, detection, evaluation, mitigation, and remediation of key cybersecurity risks and incidents through various means, which may include briefings from internal security personnel, threat intelligence and other information obtained from governmental, public or private sources, including external advisors engaged by us, and alerts and reports produced by security tools deployed in the IT environment. In an effort to deter and detect cyber threats, we annually provide all employees, including part-time and temporary, with a data protection, cybersecurity and incident response and prevention training and compliance program, which covers timely and relevant topics, including social engineering, phishing, password protection, confidential data protection, asset use and mobile security, and educates employees on the importance of reporting all incidents immediately. We also use technology-based tools to mitigate cybersecurity risks and to bolster our employee-based cybersecurity programs. 104 Table of Contents

Company Information