Aptevo Therapeutics Inc. 10-K Cybersecurity GRC - 2024-03-05

Page last updated on April 11, 2024

Aptevo Therapeutics Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-03-05 08:30:32 EST.

Filings

10-K filed on 2024-03-05

Aptevo Therapeutics Inc. filed an 10-K at 2024-03-05 08:30:32 EST
Accession Number: 0000950170-24-025428

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity The Company s Board of Directors (the Board ) is responsible for overseeing the Company s risk management program and cybersecurity is a critical element of this program. Management is responsible for the day-to-day administration of the Company s risk management program and its cybersecurity policies, processes, and practices. The Company s cybersecurity policies, standards, processes, and practices are based on recognized frameworks established by the National Institute of Standards and Technology ( NIST ) and are included in the Company s overall risk management system and processes. In general, the Company seeks to address material cybersecurity threats through a company-wide approach that addresses the confidentiality, integrity, and availability of the Company s information systems or the information that the Company collects and stores, by assessing, identifying and managing cybersecurity issues as they occur. Cybersecurity Risk Management and Strategy The Company s cybersecurity risk management strategy focuses on several areas: Identification and Reporting: The Company has information security and risk management policies and procedures designed to properly identify, classify and escalate certain cybersecurity incidents to provide management visibility and obtain direction from management as to the public disclosure and reporting of incidents in a timely manner. Technical Safeguards: The Company implements technical safeguards that are designed to protect the Company s information systems from cybersecurity threats, including firewalls, intrusion prevention and detection systems, anti-malware functionality, and access controls, which are evaluated and improved through vulnerability assessments and cybersecurity threat intelligence, as well as outside audits and certifications. Additionally, the Company leverages an industry standard Endpoint Detection and Response (EDR) tool to manage and monitor endpoint security for laptops and servers including scanning and monitoring of vulnerabilities. Further, the Company has mandated multi-factor authentication for all employees in addition to periodic security and phishing training and awareness. In 2023, the Company engaged an independent assessor to assess the maturity of its cybersecurity program against the NIST Cybersecurity Framework (NIST CSF). The results of the NIST CSF maturity assessment laid the roadmap for the cyber initiatives conducted in 2023 and future. Further, a third-party conducted an external and internal penetration test, performed a dark web scan for any Aptevo private and confidential data and assessed Aptevo’s cloud security configuration posture. All critical and high-risk findings from that assessment were addressed in 2023. Incident Response and Recovery Planning: The Company has established and maintains security incident response and disaster recovery plans designed to address the Company s response to a cybersecurity incident. Third-Party Risk Management: The Company leverages third-party vendors to house critical clinical trial data. These vendors are required to be GxP compliant which entails strong cybersecurity controls that are validated by a third-party auditor. Furthermore, the Company has begun performing security risk assessments prior to on-boarding new significant vendors. Education and Awareness: The Company provides regular, mandatory training for all levels of employees regarding cybersecurity threats as a means to equip the Company s employees with effective tools to address cybersecurity threats, and to communicate the Company s evolving information security policies, standards, processes, and practices. 60 Governance The Board has designated the Audit Committee as the governing committee for the oversight of the Company s material IT cybersecurity risks. The Audit Committee reviews cybersecurity risks through quarterly updates, and the committee monitors the status of ongoing projects to strengthen existing information security controls and practices and mitigate the potential risk of cybersecurity incidents. Quarterly, the Company’s Chief Financial Officer (CFO), with support from the expert firm providing Chief Information Officer (CIO) services, presents on material cybersecurity risks and their accompanying mitigation and remediation strategies to the Audit Committee. The CIO and CFO are key management roles responsible for assessing and managing material risks from cybersecurity threats. The CIO reports to the CFO and is responsible for implementing and maintaining the enterprise cybersecurity organization. The CIO has over 20 years of experience in Information Security and Cybersecurity for public and private institutions in the pharmaceutical, insurance, manufacturing, healthcare, and non-profit industries. The CFO also brings over 20 years of experience with a focus on small to mid-size public companies in the life science and technology fields. The CIO, in coordination with senior management including the CFO, works collaboratively across the Company to implement a program designed to protect the Company s information systems from cybersecurity threats and to promptly respond to any material cybersecurity incidents in accordance with the Company s incident response and recovery plans. The CIO and senior management are informed about and monitor the prevention, detection, mitigation and remediation of cybersecurity threats and incidents in real time, and report such threats and incidents to the Audit Committee when appropriate. Material Effects of Cybersecurity Incidents Risks from cybersecurity threats, including as a result of any previous cybersecurity incidents, have not materially affected and are not reasonably likely to materially affect the Company, including its business strategy, results of operations, or financial condition.

Company Information