Innoviva, Inc. 10-K Cybersecurity GRC - 2024-02-29

Page last updated on April 11, 2024

Innoviva, Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-02-29 17:01:00 EST.

Filings

10-K filed on 2024-02-29

Innoviva, Inc. filed an 10-K at 2024-02-29 17:01:00 EST
Accession Number: 0000950170-24-023237

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBERSECURITY Risk Management and Strategy We have established policies and processes for assessing, identifying, and managing material risk from cybersecurity threats, and have integrated these processes into our overall risk management systems and processes. We routinely assess material risks from cybersecurity threats, including any potential unauthorized occurrence on or conducted through our information systems that may result in adverse effects on the confidentiality, integrity, or availability of our information systems or any information residing therein. We conduct risk assessments to identify cybersecurity threats at least annually, as well as assessments in the event of a material change in our business practices that may affect information systems that are vulnerable to such cybersecurity threats. These risk assessments include identification of reasonably foreseeable internal and external risks, the likelihood and potential damage that could result from such risks, and the sufficiency of existing policies, procedures, systems, and safeguards in place to manage such risks. Following these risk assessments, we re-design, implement, and maintain reasonable safeguards to minimize identified risks; reasonably address any identified gaps in existing safeguards; and regularly monitor the effectiveness of our safeguards. We devote internal and external resources and designate high-level personnel to manage the risk assessment and mitigation process. As part of our overall risk management system, we monitor and test our safeguards and train our employees on these safeguards, in collaboration with human resources, IT, legal, and management. Personnel at all levels and departments are made aware of our cybersecurity policies through trainings. We engage internal auditors and other third parties in connection with our risk assessment processes. These service providers assist us in designing and implementing our cybersecurity policies and procedures, as well as to monitor and test our safeguards. During the year ended December 31, 2023, we did not identify any risks from known cybersecurity threats, including because of any prior cybersecurity incidents, that have materially affected us. However, in the future, we may face certain ongoing cybersecurity risks or threats that, if realized, are reasonably likely to materially affect us. Additional information on cybersecurity risks we face is discussed in Part I, Item 1A, Risk Factors, under the heading Our operations could be disrupted by failure of our information systems or cyber-attacks. Governance One of the key functions of our board of directors is informed oversight of our risk management process, including risks from cybersecurity threats. Our board of directors is responsible for monitoring and assessing strategic risk exposure, and our executive officers are responsible for the day-to-day management of the material risks we face. Our board of directors administers its cybersecurity risk oversight function directly as a whole, as well as through the audit committee. Our executive team, primarily consisting of Chief Accounting Officer, Chief Financial Officer, and Chief Executive Officer, in conjunction with our information security team and third-party consultants, is primarily responsible in assessing and managing our material risks from cybersecurity threats. The qualifications of our executive and information security teams include a combination of formal education, current trainings and certifications in systems, network, and cybersecurity and over 50 years of combined experience in information technology and cybersecurity matters. 74 Table of Contents They oversee our cybersecurity policies and processes, including those described in Risk Management and Strategy above. The processes by which the executive team is informed about and monitors the prevention, detection, mitigation, and remediation of cybersecurity incidents includes the following: They provide briefings to the audit committee regarding our company s cybersecurity risks and activities, including any recent cybersecurity incidents and related responses, cybersecurity systems testing, activities of third parties, and the like. In addition, they provide briefings of any significant cybersecurity matters to the board of directors as well as an annual update of cybersecurity risks and activities.

Company Information