IGM Biosciences, Inc. 10-K Cybersecurity GRC - 2024-03-07

Page last updated on April 11, 2024

IGM Biosciences, Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-03-07 16:05:38 EST.

Filings

10-K filed on 2024-03-07

IGM Biosciences, Inc. filed an 10-K at 2024-03-07 16:05:38 EST
Accession Number: 0000950170-24-027924

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity. Risks Management and Strategy We have established policies and processes for assessing, identifying, and managing material risk from cybersecurity threats, and have integrated these processes into our overall risk management systems and processes. We periodically assess material risks from cybersecurity threats, including any potential unauthorized occurrence on or conducted through our information systems that may result in adverse effects on the confidentiality, integrity, or availability of our information systems or any information residing therein. We conduct annual risk assessments and perform as needed updates to our risk register to identify cybersecurity threats, as well as assessments in the event of a material change in our business practices that may affect information systems that are vulnerable to such cybersecurity threats. These risk assessments include identification of reasonably foreseeable internal and external risks, the likelihood and potential damage that could result from such risks, and the sufficiency of existing policies, procedures, systems, and safeguards in place to manage such risks. Following these risk assessments, we re-design, implement, and maintain reasonable safeguards to minimize identified risks; reasonably address any identified gaps in existing safeguards; and regularly monitor the effectiveness of our safeguards. We devote significant resources and designate high-level personnel, including our Head of Information Technology (IT), who is also our Senior Vice President (SVP) of Group Operations and reports to our Chief Financial Officer (CFO), to manage the risk assessment and mitigation process. 74 Table of Contents Index to Financial Statements As part of our overall risk management system, we monitor and test our safeguards and train our employees on these safeguards, in collaboration with Legal, Human Resources and IT. Personnel at all levels and departments are made aware of our cybersecurity policies through periodic training and company-wide communications. We engage an experienced cybersecurity consultant as our Interim Information Security Advisor who coordinates our risk assessment processes with our Cybersecurity Steering Committee. We engage an experienced service provider as our 24x7 network and security operations center, to assist us to design and implement our cybersecurity policies and procedures, and to monitor and test our safeguards. We assess the ability of our key third-party service providers to implement and maintain appropriate security measures, consistent with all applicable laws, to implement and maintain reasonable security measures in connection with their work with us, and to promptly report any suspected breach of its security measures that may affect our company. For additional information regarding whether any risks from cybersecurity threats, including as a result of any previous cybersecurity incidents, have materially affected or are reasonably likely to materially affect our company, including our business strategy, results of operations, or financial condition, please refer to Item 1A, Risk Factors, in this annual report on Form 10-K. Governance One of the key functions of the Audit Committee of our Board of Directors is informed oversight of our risk management process, including risks from cybersecurity threats. Our Audit Committee is responsible for monitoring and assessing strategic risk exposure, and our executive officers are responsible for the day-to-day management of the material risks we face. Our SVP of Group Operations and our Cybersecurity Steering Committee, which includes our Chief Medical Officer, SVP-Corporate Controller, Executive Vice President of Process Development and Manufacturing, SVP of Preclinical Sciences, and our SVP of Legal Affairs, are primarily responsible for assessing and managing our material risks from cybersecurity threats. As part of our risk identification, assessment, and mitigation activities, we leverage the experience of our external cybersecurity advisor/consultant (CISSP, CISA, CISM, CRISC, QSA) who has extensive cybersecurity expertise across various industries. Our SVP of Group Operations, who manages our cybersecurity program, has over 25 years of experience in the Life-Sciences IT space, with over 8 years in IT security and cybersecurity functions. Our SVP of Group Operations, in collaboration with our Cybersecurity Steering Committee, oversees our cybersecurity policies and processes, including those described in Risk Management and Strategy above. Our SVP of Group Operations is informed about and monitors the prevention, detection, mitigation, and remediation of cybersecurity incidents through oversight of the external consultant and the IT department, which includes oversight of a combination of automated technologies and manual responses to detect, respond and recover from any cybersecurity incident, as well as oversight of the 24x7 network and security operations center. Our SVP of Group Operations is responsible for informing our executive leadership and our Audit Committee about confirmed cybersecurity incidents, and for providing regular updates to senior executive management, including our CFO, concerning our IT and cybersecurity posture. Our SVP of Group Operations provides quarterly briefings to the audit committee and our executive management regarding our company s cybersecurity risks and activities, including any recent cybersecurity incidents and related responses, cybersecurity systems testing, activities of third parties, and the like.

Company Information