MARAVAI LIFESCIENCES HOLDINGS, INC. 10-K Cybersecurity GRC - 2024-02-29

Page last updated on April 11, 2024

MARAVAI LIFESCIENCES HOLDINGS, INC. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-02-29 17:05:37 EST.

Filings

10-K filed on 2024-02-29

MARAVAI LIFESCIENCES HOLDINGS, INC. filed an 10-K at 2024-02-29 17:05:37 EST
Accession Number: 0001823239-24-000032

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity Risk Management and Strategy Our cybersecurity risk management processes include technical security controls, policy enforcement mechanisms, monitoring systems, contractual arrangements, tools and related services, and management oversight to assess, identify and manage risks from cybersecurity threats. We implement risk-based controls to protect our information, information systems, business operations, and products and related services. We have adopted security-control principles based on the National Institute of 59 Table of Contents Standards and Technology Cybersecurity Framework (NIST), other global standards, and contractual requirements, as applicable. We also leverage government partnerships, industry and government associations, third-party benchmarking, audits, threat intelligence feeds, and other similar resources to inform our cybersecurity efforts and allocate resources. We maintain an information security program that includes physical, administrative and technical safeguards, and we maintain plans and procedures whose objective is to help us prevent and timely and effectively respond to cybersecurity incidents. Through our cybersecurity risk management process, we continuously monitor cybersecurity vulnerabilities and potential attack vectors and evaluate the potential operational and financial effects of cybersecurity risk countermeasures made to defend against such threats. This process has been integrated into our Enterprise Risk Management program and our Compliance Risk Management program, both of which are overseen by our Board of Directors. In addition, we engage third-party consultants to assist us in assessing, enhancing, implementing, and monitoring our cybersecurity risk management programs, including conducting penetration testing, phishing campaigns, and vulnerability assessments, and responding to any incidents. We also assess the risks from cybersecurity threats of our suppliers and third-party service providers. We also require our suppliers and third-party service providers to adopt security-control principles based on NIST or similar global standards. We have experienced, and may in the future experience, whether directly or through our supply chain or other channels, cybersecurity incidents. While prior incidents have not had a material impact on us, future incidents could have a material impact on our business, operations, and reputation. Although our cybersecurity risk management processes are designed to help prevent, detect, respond to, and mitigate the impact of such incidents, there is no guarantee that they will be sufficient to prevent or mitigate the risk of a cyberattack or the potentially serious reputational, operational, legal or financial impacts that may result. See Our internal computer systems, or those of our customers, collaborators or other contractors, have been and may in the future be subject to cyber-attacks or security breaches, which could result in a material disruption of our product development programs or otherwise adversely affect our business, financial condition, results of operations, cash flows and prospects within Item 1A, Risk Factors in this Annual Report on Form 10-K. Governance Our Board has overall responsibility for risk oversight. Oversight of certain of the Company s key risks is specifically allocated to Board committees based on their respective areas of expertise. The Nominating, Governance and Risk Committee assists the Board in overseeing risks specific to cybersecurity. Pursuant to its written charter, the Nominating, Governance and Risk Committee is charged with overseeing our management s efforts to identify, evaluate and mitigate major risks related to cybersecurity, data protection controls, business continuity/disaster recovery systems and other information security matters, and periodically reviews our approach to the identification, evaluation and mitigation of such risks with the Board. Our Vice President, Information Technology ( VP of IT ), together with our General Counsel, briefs the Nominating, Governance and Risk Committee on cybersecurity risks at selected meetings. These briefings include assessments of the threat landscape, updates on incidents, and reports on our investments in cybersecurity risk mitigation and governance. To the extent that a significant cybersecurity event occurs, the Nominating, Governance and Risk Committee would also receive periodic updates from senior management, including the VP of IT, the General Counsel, and the relevant Company third-party consultants on any significant cybersecurity events. Such updates would include, as applicable and relevant, the nature, scope and timing of the event; the type and scale of information or data has been accessed, exfiltrated or encrypted; the systems involved; what is known about the threat actor, such as capabilities and demands, if any; management s ongoing assessment of the impacts or likely impacts of the intrusion; the possibility of litigation or regulatory investigations or actions; and any other information that management finds relevant and that would aid in the assessment of the materiality of the impact of the intrusion. Our Information Technology (IT) Department and Legal Department work together and are jointly responsible for developing and coordinating our enterprise-wide cybersecurity policy and strategy, including managing our cybersecurity risk management processes. The VP of IT and the General Counsel report to the Company s senior leadership team on progress towards specific cybersecurity objectives. Vijay Mani is our VP of IT. He is responsible for managing our information security, developing cybersecurity strategy, and implementing effective information and cybersecurity programs. Mr. Mani has 16 years of experience working in leadership roles in information technology, as well as relevant degrees and certifications, including an Advanced Computer Security Certificate from Stanford University. He reports directly to our Chief Financial Officer and meets periodically with the Nominating, Governance and Risk Committee.

Company Information