NGM BIOPHARMACEUTICALS INC 10-K Cybersecurity GRC - 2024-03-11

Page last updated on April 11, 2024

NGM BIOPHARMACEUTICALS INC reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-03-11 16:15:03 EDT.

Filings

10-K filed on 2024-03-11

NGM BIOPHARMACEUTICALS INC filed an 10-K at 2024-03-11 16:15:03 EDT
Accession Number: 0001628280-24-010232

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity. Risk Management Strategy We have implemented and maintain various information security processes. These processes are designed to identify, assess and manage material risks from cybersecurity threats to our critical computer networks, third-party hosted services, communications systems, hardware and software, and our critical data, including intellectual property, strategic or competitive in nature, and proprietary or confidential information, including clinical trial data, personal and financial information, referred to collectively as Information Systems and Data. Our Chief Financial Officer, or CFO, together with our Incident Disclosure Committee, or IDC, Security Incident Response Team, or SIRT, which is led by our head of information technology, or IT, and composed of two employees who have direct work experience in network security, and third-party service providers, help identify, assess and manage the Company s cybersecurity threats and risks. In doing so, they identify and assess risks from cybersecurity threats by monitoring and evaluating our threat environment and the Company s risk profile using various methods including, for example, automated and manual tools, third-party threat assessments and intelligence feeds, subscribing to reports and services that identify cybersecurity threats, analyzing reports of threats and threat actors, evaluating the Company s and the industry s risk profile, evaluating reported threats, coordinating with law enforcement relating to threats, conducting threat assessments for internal and external threats, conducting red/blue team testing and tabletop incident response exercises jointly with external third parties. Depending on the environment, we implement and maintain various technical, physical and organizational measures, processes, standards and policies designed to manage and mitigate material risks from cybersecurity threats to our Information Systems and Data, including, for example: an incident detection and response plan and policy encryption of data network security controls access controls physical security and employee training. Our assessment and management of material risks from cybersecurity threats are integrated into the Company s overall risk management processes. For example, our IT department works with management to prioritize our risk management processes and mitigate cybersecurity threats that are more likely to lead to a material impact to our business. We use third-party service providers to assist us from time to time to identify, assess and manage material risks from cybersecurity threats, including for example threat intelligence service providers, penetration testing firms, dark web monitoring services, cybersecurity consultants and software providers. We use third-party service providers to perform a variety of functions throughout our business, such as application providers, hosting companies, contract research organizations, and contract manufacturing organizations. We have a vendor management program to manage cybersecurity risks associated with our use of these providers. The program includes a risk assessment for each vendor which includes a security questionnaire, a review of the vendor s written security program, and security assessment calls with the vendor’s security team. 78 Table of Contents Depending on the nature of the services provided the sensitivity of the Information Systems and Data at issue, and the identity of the provider, our vendor management process may involve different levels of assessment designed to help identify cybersecurity risks associated with a provider and impose contractual obligations related to cybersecurity on the provider. For a description of the risks from cybersecurity threats that may materially affect the Company and how they may do so, see our risk factors under Part 1. Item 1A. Risk Factors in this Annual Report, including We, our CROs, our CMOs, our current and potential future partners and other third parties we rely on or partner with could experience a cybersecurity incident that could harm our business . Governance Our board of directors, or the Board, addresses the Company s cybersecurity risk management as part of its general oversight function. The Board has delegated to the audit committee of the Board, or Audit Committee, responsibility for overseeing the Company s cybersecurity risk management processes generally, including oversight and mitigation of risks from cybersecurity threats. Our CFO is responsible for cybersecurity risk management and has experience overseeing IT departments in previous roles. Our principal accounting officer, or PAO, oversees the IT department and in that capacity is responsible for hiring appropriate cybersecurity personnel, helping to integrate cybersecurity risk considerations into the Company s overall risk management strategy, and communicating key priorities to relevant personnel. Our PAO has significant experience with managing access to key company-wide information systems. Our head of IT is responsible for assessing and managing our material risks from cybersecurity threats and for our cybersecurity protections generally, including helping prepare for cybersecurity incidents, approving cybersecurity processes and reviewing security assessments and other security-related reports. Our head of IT has prior work experience in cybersecurity, holds relevant degrees and current cybersecurity certifications. The Audit Committee receives periodic reports from our CFO and head of IT concerning cybersecurity threats and risks, and the processes that we have implemented to address and mitigate them. The Audit Committee updates the Board on such cybersecurity issues as part of its general committee report to the Board at regular Board meetings. Our Board is responsible for approving budgets to support those activities. We have in place a cybersecurity incident response plan, reviewed by the Audit Committee, which establishes incident response processes, policies and procedures. Under the plan, our CFO, as incident response leader, works with the Company s SIRT to help the Company mitigate and remediate cybersecurity incidents of which they are notified. Our IDC is notified and activated in the event of a significant cybersecurity incident. The IDC is composed of our CFO, the lead of the SIRT, our General Counsel and other members of our legal and finance teams. In the event of a severe or major cybersecurity incident, the IDC will oversee and coordinate the response, determine materiality of impact and any disclosure requirements in conjunction with legal counsel and will ensure that the Audit Committee and/or the Board are updated and that required disclosures are made in a timely manner.

Company Information