Apogee Therapeutics, Inc. 10-K Cybersecurity GRC - 2024-03-05

Page last updated on April 11, 2024

Apogee Therapeutics, Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-03-05 06:15:46 EST.

Filings

10-K filed on 2024-03-05

Apogee Therapeutics, Inc. filed an 10-K at 2024-03-05 06:15:46 EST
Accession Number: 0001558370-24-002406

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity We operate in the biotechnology sector, which is subject to various cybersecurity risks that could adversely affect our business, financial condition, and results of operations, including intellectual property theft; fraud; extortion; harm to employees or customers; violation of privacy laws and other litigation and legal risk; and reputational risk. We have implemented and utilize a risk-based approach that incorporates various information security processes designed to assess, identify and manage risks from potential unauthorized occurrences on or through our information technology systems that may result in adverse effects on the confidentiality, integrity and availability of information technology systems and the data residing therein. The critical data contained on our information systems include intellectual property, confidential 118 Table of Contents information that is proprietary, strategic or competitive in nature, and sensitive, personal information that we collect, use, store and transmit digitally in the ordinary course of our business. These processes are managed and monitored by a dedicated information technology team, which is led by our Senior Vice President of Information Technology, and include mechanisms, controls, technologies, systems, and other processes designed to monitor and evaluate our threat environment, prevent or mitigate data loss, theft, misuse, or other security incidents or vulnerabilities affecting the data and maintain a stable information technology environment. Our cybersecurity program is informed by certain industry standards and best practices as outlined by the National Institute of Standards and Technology ( NIST ) Cybersecurity Framework. We use various tools and methodologies to manage cybersecurity risk that are tested on a regular cadence. We use email security tools, managed detection and response, third party managed security services, regular vulnerability scans and threat intelligence feeds. We also have an incident response plan designed to mitigate and remediate identified cybersecurity incidents and escalate certain incidents as appropriate to management and the Audit Committee. We assess third-party service providers with a cyber security questionnaire and a follow up meeting or audit based upon the risk profile of the third party with access to personal, confidential or proprietary information to implement and maintain cybersecurity practices intended to be consistent with applicable legal standards and industry best practices. Our business depends on the availability, reliability, and security of our information systems, networks, data, and intellectual property. Any disruption, compromise, or breach of our systems or data due to a cybersecurity threat or incident could adversely affect our operations, customer service, product development, and competitive position. They may also result in a breach of our contractual obligations or legal duties to protect the privacy and confidentiality of our stakeholders. Such a breach could expose us to business interruption, lost revenue, ransom payments, remediation costs, liabilities to affected parties, cybersecurity protection costs, lost assets, litigation, regulatory scrutiny and actions, reputational harm, customer dissatisfaction, harm to our vendor relationships, or loss of market share. To mitigate the aforementioned consequences of cybersecurity incidents, we carry cyber attack insurance. In the last fiscal year, we have not identified risks from known cybersecurity threats, including as a result of any prior cybersecurity incidents, that have materially affected us, but we face certain ongoing cybersecurity risks threats that, if realized, are reasonably likely to materially affect us. Additional information on cybersecurity risks we face is discussed in Part I, Item 1A, Risk Factors, under the heading Our internal information technology systems, or those of any of our CROs, manufacturers, other contractors or consultants, third party service providers, or potential future collaborators, may fail or suffer security or data privacy breaches or other unauthorized or improper access to, use of, or destruction of our proprietary or confidential data, employee data or personal data, which could result in additional costs, loss of revenue, significant liabilities, harm to our brand and material disruption of our operations. Our Senior Vice President of Information Technology, a certified CISSP, who reports directly to the Chief Financial Officer and has over twenty years of experience managing information technology and cybersecurity, is responsible for assessing and managing cybersecurity risks. We consider cybersecurity, along with other significant risks that we face, within our overall enterprise risk management framework. The Board of Directors, as a whole and at the committee level, has oversight for the most significant risks facing us and for our processes to identify, prioritize, assess, manage, and mitigate those risks. The Audit Committee, which is comprised solely of independent directors, has been designated by our Board to oversee cybersecurity risks. The Audit Committee receives regular updates on cybersecurity and information technology matters and related risk exposures from our Senior Vice President of Information Technology. The Board also receives updates from management and the Audit Committee on cybersecurity risks on at least an annual basis. 119 Table of Contents

Company Information