iTeos Therapeutics, Inc. 10-K Cybersecurity GRC - 2024-03-06

Page last updated on April 11, 2024

iTeos Therapeutics, Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-03-06 07:09:43 EST.

Filings

10-K filed on 2024-03-06

iTeos Therapeutics, Inc. filed an 10-K at 2024-03-06 07:09:43 EST
Accession Number: 0000950170-24-026866

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity. Risk management and strategy. 60 We and our third-party service providers, such as CROs, collect, process, transmit, and store sensitive data on our networks and systems, including intellectual property, proprietary or confidential business information, and a variety of personal data. We have adopted processes designed to identify, assess and manage material risks from cybersecurity threats. Those processes include response to and an assessment of internal and external threats to the security, confidentiality, integrity and availability of our data and information systems, along with other material risks to our operations. Our risk management team collaborates with our Chief Information Security Officer, or CISO and our Head of Legal to evaluate and address cybersecurity risks in alignment with our business objectives and operational needs. We have processes to detect potential vulnerabilities and anomalies through technical safeguards and have adopted policies and procedures around internal and external notification of cybersecurity incidents. Our CISO and Cybersecurity Manager implement processes around security monitoring and vulnerability testing. We also have in place an incident response plan, which incorporates four overarching and interconnected stages: (1) preparation for a cybersecurity incident, (2) detection and analysis of a security incident, (3) containment, eradication and recovery, and (4) post-incident analysis. The plan specifies that security events and data incidents should be evaluated, ranked by severity and prioritized for response and remediation. Our procedures include an evaluation of incidents to determine materiality as well as operational, business and privacy impact. Our team of cybersecurity and information security professionals then collaborate with technical and business stakeholders across our business units to further analyze the risk to the Company, and form detection, mitigation and remediation strategies. As part of our risk management process, we engage external auditors and consultants to assess our internal cybersecurity programs and compliance with applicable practices and standards. In addition, we engage outside providers to conduct annual internal and external penetration testing. We rely on third parties, including cloud vendors, for various business functions. We select key third-party service providers based on several factors, including the type of data processed and the nature of services offered, and we oversee such key third-party service providers by conducting vendor diligence upon onboarding and ongoing monitoring. Governance. Our board of directors has established oversight mechanisms to manage risks from cybersecurity threats. The audit committee of our board of directors, or audit committee, has primary responsibility for oversight of cybersecurity and is briefed on cybersecurity risks at least once a year and following any material cybersecurity incidents. Our board of directors receives periodic updates from our audit committee regarding matters of cybersecurity. Our board members also engage in ad hoc conversations with management on cybersecurity-related news events and discuss any significant updates to our cybersecurity risk management and initiatives. Our cybersecurity program is overseen by our Chief Information Officer, or CIO, and is managed by our CISO and other leaders from our information technology, or IT, and legal departments. Our CIO, CISO and Cybersecurity Manager have an average of over 20 years of prior work experience in various roles involving IT, including security, auditing, compliance, systems and programming. These individuals are informed about, and monitor the prevention, mitigation, detection and remediation of cybersecurity incidents through their management of, and participation in, the cybersecurity risk management and strategy processes described above, including the operation of our incident response plan, and report to senior management and the Audit Committee on any appropriate items. Our senior management reports at least annually to the audit committee and such reporting includes an overall assessment of the Company s compliance with our cybersecurity policies and procedures as well as topics including existing and new cybersecurity risks, status on how management is addressing and/or mitigating those risks, cybersecurity and data privacy incidents (if any) and status on key information security initiatives. A cybersecurity incident may materially affect our business, results of operations or financial condition, including where such an incident results in reputational, competitive, or business harm, loss of intellectual property rights, significant costs, or the Company being subject to government investigations, litigation, fines, or damages. As of the date of this Annual Report on Form 10-K, we have not experienced a cybersecurity incident that resulted in a material effect on our business strategy, results of operations, or financial condition. For more information, see Risk factors - Risks related to our business operations, employee matters, taxes, litigation, and managing growth - Information system failures or unauthorized or inappropriate use of or access to our information systems risk 61 disclosure of confidential or proprietary information, including personal data, and could damage our reputation, and subject us to significant financial and legal exposure.

Company Information