Xenon Pharmaceuticals Inc. 10-K Cybersecurity GRC - 2024-02-29

Page last updated on April 11, 2024

Xenon Pharmaceuticals Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-02-29 16:36:01 EST.

Filings

10-K filed on 2024-02-29

Xenon Pharmaceuticals Inc. filed an 10-K at 2024-02-29 16:36:01 EST
Accession Number: 0000950170-24-023177

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybers ecurity We rely on both internal information technology systems and networks, and those of third-party vendors and contractors, to acquire, transmit, store and otherwise process information in connection with our business activities. Our ability to effectively manage our business depends on the security, reliability and adequacy of our and our third-party contractors and vendors technology systems. As such, we have implemented an information security program designed to assess, identify, and manage risks from cybersecurity threats. We perform risk assessments relating to cybersecurity and technology risks at least annually. Our cybersecurity risk management program has been developed based on industry standards, including those published by the National Institute of Standards and Technology ( NIST ). Highlights of the program include: Corporate policies and procedures that guide our use of information systems, confidentiality and security strategy; Identifying critical assets and high-risk threats, and implementing technical prevention and detection controls and response and recovery practices; A third-party risk management process to assist in making risk-informed technology product and services decisions on third parties who provide, manage, store or have access to material data or information, including the completion of security questionnaires and independent assessments of controls, audits and/or contract terms; Defined data loss prevention standards in place to detect and prevent data loss, including requiring third-party service providers with access to personal, confidential or proprietary information to implement and maintain comprehensive cybersecurity practices consistent with applicable legal standards and industry best practices; Security awareness training for employees to identify cybersecurity concerns and take appropriate actions; and Evaluating our program s effectiveness by performing regular internal and third-party assessments of our controls, including external penetration testing and consultation on security enhancements. Risks identified through our cybersecurity program are assessed to determine the potential impact and likelihood of occurrence and mitigation plans are developed and implemented accordingly. The Audit Committee of our Board of Directors bears the primary responsibility for oversight of cybersecurity risks. The Audit Committee is composed of board members with diverse expertise, including risk management, technology and finance, equipping them to oversee cybersecurity risks effectively. Management s oversight is performed through an IT Steering Committee, a subset of executive management including our Chief Financial Officer, or CFO, and Chief Legal Officer, and relevant functional expertise, including our Senior Vice President, Information Systems, or SVP, IS. Our SVP, IS, is the primary member of the IT Steering Committee charged with responsibility for assessing, monitoring and managing our cybersecurity risks. With over 20 years of experience in information technology strategy and operations, his background includes extensive experience as an IT executive at various companies. At least annually, the SVP, IS, and the CFO provide a comprehensive report to the Audit Committee regarding cybersecurity risk assessments, emerging threats and changes to industry standards, and incident reports and remediation, if any. The SVP, IS, oversees processes for the regular monitoring of our information systems, including potential vulnerabilities. In the event of a cybersecurity incident, the IT organization and designated members of executive management follow an established Cybersecurity Incident Response Plan. This plan includes immediate actions to contain the threat, mitigate the impact and assess materiality, and requires retrospective review and identification of corrective actions to reduce future risk. During the fiscal year ended December 31, 2023, we did not experience any material impact to our business, financial position or operations resulting from previously identified cyberattacks or other information security incidents, but we cannot provide assurance that they will not be materially affected in the future by such risks or any future material breaches. For a discussion of these risks, see Item 1A Risk Factors Risk Related to Our Business and Industry Our business and operations could suffer in the event of an actual or perceived information security incident such as a cybersecurity breach, system failure, or other compromise of our systems and/or information, including information held by a third-party contractor or vendor.

Company Information