RIGEL PHARMACEUTICALS INC 10-K Cybersecurity GRC - 2024-03-05

Page last updated on April 11, 2024

RIGEL PHARMACEUTICALS INC reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-03-05 16:06:00 EST.

Filings

10-K filed on 2024-03-05

RIGEL PHARMACEUTICALS INC filed an 10-K at 2024-03-05 16:06:00 EST
Accession Number: 0001558370-24-002475

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity Risk Management and Strategy Cybersecurity and privacy incidents in the pharmaceutical industry are growing in frequency and severity, prompting organizations to invest heavily in people, processes, and technology to bolster their cybersecurity risk management capabilities. We assess the integrity of our information technology and cybersecurity platforms to help ensure proper safety measures are implemented. We understand the extensive responsibility associated with safeguarding our systems and data. Our processes for assessing, identifying, and managing material risks from cybersecurity threats include: Detection and Prevention: We utilize various securities tools and technologies designed to prevent, identify, protect, detect, escalate, respond and recover from cyber threats in a timely manner. Our approach includes real-time monitoring, threat analysis, and regular security evaluations to identify and mitigate potential vulnerabilities. User Training & Education: We realize that human error can be a significant cybersecurity risk, so we have implemented education and training programs for our staff to raise awareness about cybersecurity best practices. By promoting a culture of security consciousness, we empower our staff to identify potential threats and respond effectively, in a way that is designed to enhance the overall cybersecurity posture of our organization. Incidence Response and Business Continuity: We have comprehensive Incidence Response and Business Continuity plans in place designed to ensure the continuity, availability and accessibility of our systems and data, even in the face of unforeseen events such as natural disasters or cyber incidents, which plans and systems we test regularly. We rely upon the capacity, availability and security of our information technology hardware and software infrastructure. We maintain comprehensive compliance and security programs designed to help safeguard and ensure the integrity of the confidential information we possess, which includes both organization and technical control measures. We routinely conduct employee trainings on important information security procedures and test and measure compliance with these security measures. In addition, we maintain cyber insurance policies that mitigate the financial risk of any potential incident. 89 Table of Contents We engage consultants, auditors, and other third parties in connection with such processes. We work with third-party service providers to assist us in our cybersecurity risk management to identify areas that may potentially impact our business, develop and implement control framework to mitigate such cybersecurity risks, and to be prepared to respond to and report (as required) applicable cybersecurity incidents. We face a number of risks including the growing threat of cybersecurity attacks. Despite our implementation of security measures to combat the threats of cybersecurity attacks, any system failure, accident or security breach could result in disruptions to our operations. To the extent that any disruption, cybersecurity attack or other security breach results in a loss or damage to our data or inappropriate disclosure of confidential information, our business could be harmed. In addition, we may be required to incur significant costs to protect against damaged caused by these disruptions or security breaches in the future. While we have not, as of the date of this Annual Report on Form 10-K, experienced cybersecurity challenges (including any previous cybersecurity incidents) that have materially affected us, our business strategy, our results of operations or our financial condition, there can be no guarantee that we will not experience such an incident in the future. For additional information regarding risks from cybersecurity threats, please refer to Item 1A. Risk Factors of this annual report on Form 10-K. Governance Our Corporate Governance, Healthcare Compliance Oversight, and Nominating committee oversees our cybersecurity risk management. This committee periodically reviews and assesses the risk exposure of our risks related to data privacy, technology and information security, including cyber-security, and back-up of information systems and makes recommendations to our Board of Director pertaining to monitoring and minimizing findings in such assessment. This committee periodically reports to the Board of Directors. While the Corporate Governance, Healthcare Compliance Oversight, and Nominating committee oversees our cybersecurity risk management, our management also plays an integral role in cybersecurity oversight. Our management is responsible for day-to-day risk management processes. This includes periodic updates from the Executive Director of Information Technology who has over 23 years of work experience in the life science industry, and holds an undergraduate degree in Industrial Technology. The Executive Director of Information Technology is responsible for managing the daily measures of safeguarding the information technology infrastructure from potential threats and vulnerabilities, which includes monitoring the prevention, detection, mitigation, and remediation of cybersecurity incidents. Additionally, we have established a Crisis Management Team (CMT), which is a team of cross-functional participants who are prepared to review and assess any potential cybersecurity incidents. The CMT team is led by our CFO and our General Counsel who will advise the Corporate Governance, Healthcare Compliance Oversight, and Nominating committee of the Board accordingly in the event of any incident. We believe this division of responsibilities is the most effective approach for addressing our cybersecurity risks and that the Board leadership structure supports this approach.

Company Information