Ginkgo Bioworks Holdings, Inc. 10-K Cybersecurity GRC - 2024-02-29

Page last updated on April 11, 2024

Ginkgo Bioworks Holdings, Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-02-29 17:07:49 EST.

Filings

10-K filed on 2024-02-29

Ginkgo Bioworks Holdings, Inc. filed an 10-K at 2024-02-29 17:07:49 EST
Accession Number: 0001628280-24-008052

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity. Cybersecurity risk management and strategy Ginkgo integrates risk management into its overall cybersecurity strategy, and has implemented processes designed to identify, assess, prioritize and manage risks to protect Ginkgo s data, intellectual property and information assets. As part of our risk governance and management, Ginkgo has developed processes designed to: identify and assess risks, evaluate those risks against pre-defined criteria, develop and implement strategies to address identified risks, monitor and review those risks and communicate risks to relevant stakeholders. Identifying Ginkgo s cybersecurity risks involves a multifaceted approach that encompasses both internal assessments and external information sources. For example, we use security audits conducted by internal and external auditors to assess compliance with security policies and industry frameworks; vulnerability assessments to discover vulnerabilities in networks, systems and applications; penetration testing using simulated cyberattacks to test the resilience of systems and identify weaknesses; and risk assessment processes to evaluate IT infrastructure, including using a risk register to identify risks, likelihood of their occurrence, potential impact, and remediation. We also oversee third-party service providers by conducting vendor diligence upon onboarding and additional monitoring. Vendors are assessed for risk based on the nature of their services, access to data and systems and supply chain risk. Cybersecurity risk management is overseen by Ginkgo s Chief Information Security Officer ( CISO ), who is supported by full-time information security staff. The CISO advises the executive team on the development and implementation of the information security program. Ginkgo incorporates learning from its cybersecurity risk management process into its overall cybersecurity program. To date, Ginkgo has not experienced a cybersecurity incident that resulted in a material effect on our business strategy, results of operations, or financial condition. Despite our efforts, we cannot provide assurance that we will not be materially affected in the future by cybersecurity risks or any future material incidents. For more information, see Item 1A. Risk Factors, Significant disruptions to our and our service providers information technology systems or data security incidents could result in significant financial, legal, regulatory, business and reputational harm to us. Cybersecurity governance The Board provides regular oversight of the Company s cybersecurity risk management program. The CISO presents to the Board and the audit committee of our Board (the Audit Committee ) at least annually and quarterly updates via business review dashboards. The Board provides guidance to the CISO, including with respect to any changes to business priorities, risk tolerance, or security initiatives. These briefings are also augmented by ongoing and continuous interactions between the Board and the CISO, as needed. Ginkgo’s CISO has primary responsibility for assessing and managing Ginkgo s risks from cybersecurity threats. The CISO has over 20 years of pubic- and private-sector experience in information technology and has served as Ginkgo s CISO since 2018. Executive leadership provides oversight and governance through monthly business reviews of the cybersecurity program. Ginkgo also has a Disclosure Committee, which is composed of representatives from executive leadership from various departments across Ginkgo (e.g., legal, finance, accounting). Their role is to determine materiality of a cyber incident and provide guidance with respect to any disclosure obligations resulting from a cyber incident.

Company Information