Karyopharm Therapeutics Inc. 10-K Cybersecurity GRC - 2024-02-29

Page last updated on April 11, 2024

Karyopharm Therapeutics Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-02-29 07:43:55 EST.

Filings

10-K filed on 2024-02-29

Karyopharm Therapeutics Inc. filed an 10-K at 2024-02-29 07:43:55 EST
Accession Number: 0000950170-24-022650

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cyber security Cybersecurity Risk Management and Strategy Like all companies with an internet presence, we are regularly subject to cyberattacks and other cyber incidents, and, therefore, cybersecurity is an important element of our ongoing information technology operations. We devote significant resources to protecting and enhancing the security of our computer systems, business information, software, networks and other technology assets, by applying our cybersecurity risk management processes, which consider physical, procedural and technical safeguards. We have a multi-faceted program for assessing, identifying and managing cybersecurity risks, that is designed to help protect our information assets and operations from internal and external cyber threats by: organizing our cybersecurity efforts based on the National Institute of Standards and Technology ( NIST ) Cybersecurity Framework by applying the framework s rubric of Identify, Protect, Detect, Respond, and Recover; seeking to understand, manage and mitigate risk while ensuring business resiliency and protecting business, employee and patient information from unauthorized access or attack; identifying critical business information, the lifecycles of that information, and the systems where this information is stored, distributed, processed, and eventually destroyed. For example, by managing important external parties and their operations, analyzing their cybersecurity risk to our business operations, and reviewing the residual risk with business leaders to accept and manage each external party appropriately; protecting and securing our systems from attack with secure configuration standards and protective cybersecurity tools; detecting potential attacks through appropriate tools, including cybersecurity-related data collection and analysis to help identify potential attacks; responding to alerts from those tools with processes to verify whether there is a real incident and the severity of that incident using appropriate resources and team members, including establishing and exercising a Cybersecurity Incident Response Plan ( IRP ) based on recognized industry practices, including NIST guidance; and establishing and exercising processes and procedures to recover from cybersecurity incidents. 94 Table of Contents Our IRP contains tools, and guidance related to cybersecurity events and is designed to help coordinate our response to, and recovery from, cybersecurity incidents, and includes processes to triage, assess the severity of, escalate, contain, investigate, and remediate incidents as well as comply with applicable legal obligations. In addition, as part of our overall risk mitigation strategy, we also maintain cyber insurance coverage; however, such insurance may not be sufficient in type or amount to cover us against claims related to security breaches, cyber-attacks and other related breaches. We regularly engage external parties, inclusive of but not limited to, service vendors, consultants, independent privacy assessors, peer companies, industry groups, and governance experts to enhance our understanding and application of oversight of the cybersecurity landscape. For example, we provide an annual assessment of our cybersecurity program, completed by our third-party Chief Information Security Officer ( CISO ), to our Audit Committee for review and feedback. These external parties provide an industry perspective on appropriate risk management and investment in our cybersecurity efforts that is reviewed and approved by company management and the Board of Directors. We do not believe that there are currently any known risks from cybersecurity threats that are reasonably likely to materially affect the Company or its business strategy, results of operations or financial condition. Cybersecurity Governance and Oversight The Audit Committee of our Board of Directors provides direct oversight over cybersecurity risk. The Audit Committee receives and provides feedback on quarterly updates from management regarding cybersecurity and is notified between such updates regarding significant new cybersecurity threats or incidents, if any. As part of these quarterly updates to the Audit Committee, our Vice President of Information Technology presents any developments, emerging risks or key topics to the Audit Committee, including, among other things, the external threat environment, risk profile changes, training initiatives, the status of projects to strengthen cybersecurity, emerging global policies and regulations, cybersecurity technologies and industry practices, cyber readiness, results of third-party assessments, mitigation efforts and response plans. The full Board of Directors receives regular reports from the Chair of the Audit Committee, as well as periodic updates highlighting recent incidents throughout the industry and the emerging threat landscape. Our Vice President of Information Technology leads an IT Security Team and has overall responsibility for the security program. The IT Security Team is responsible for leading company-wide cybersecurity strategy, policy, standards and processes. The IT Security Team works across the enterprise to assess and prepare our employees and third parties to manage cybersecurity risks and detect, investigate and respond to cybersecurity incidents. Our Vice President of Information Technology has 25 years of information technology experience, including 22 years of leadership responsibility, and has substantial operational experience with cybersecurity policy, protection, incident response, and governance. We also utilize a third-party cybersecurity advisor to act as our CISO, supporting the Vice President of Information Technology. This fractional executive has extensive experience as a CISO and cybersecurity executive with over 25 years of expertise in designing, building, and operating transformational information security programs, is a Certified Information Systems Security Professional, and holds a Master of Science in Strategic Intelligence. Further, our IRP establishes a Security Council, which is responsible for providing oversight, direction, and governance of incident response policies and processes and is composed of certain company stakeholders, including our Vice President of Information Technology and our third-party CISO. In an effort to deter and detect cyber threats, we provide a monthly cybersecurity awareness newsletter to all employees, including part-time and temporary contractors, which covers timely and relevant topics, such as social engineering, phishing, password protection, confidential data protection, asset use and mobile security, and reminds employees of the importance of reporting all incidents quickly. We run frequent phishing tests to raise awareness of spam emails, the primary attack vectors for cyber threats and to further raise awareness of cyber threats. We provide annual training on employee responsibilities for protecting company information and data along with our overall compliance responsibility. Each October during cybersecurity awareness month in the U.S., we provide weekly updates on cybersecurity awareness and host a company-wide lunch and learn discussion of our cybersecurity program and the impact of cybersecurity on individuals as well as the company, with a data protection, cybersecurity and incident response and prevention training and compliance program. 95 Table of Contents

Company Information