Scilex Holding Co 10-K Cybersecurity GRC - 2024-03-11

Page last updated on April 11, 2024

Scilex Holding Co reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-03-11 17:57:25 EDT.

Filings

10-K filed on 2024-03-11

Scilex Holding Co filed an 10-K at 2024-03-11 17:57:25 EDT
Accession Number: 0000950170-24-029473

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity. Cybersecurity is a critical element of our information security program. Security controls are implemented in a manner that protects the confidentiality, integrity and availability of our information assets without hindering business operations. Management is responsible for the day-to-day administration of our cybersecurity policies, processes, and practices. Our cybersecurity policies, standards, processes, and practices are based on recognized frameworks established by the National Institute of Standards and Technology (the NIST ) and management s knowledge of best practices in the cybersecurity industry. In general, we seek to address material cybersecurity threats through a company-wide approach that addresses the confidentiality, integrity and availability of our information systems or the information that we collect and store, by proactively monitoring for cybersecurity threats and assessing, identifying and managing cybersecurity issues as they occur. We routinely assess material risks from cybersecurity threats, including any potential unauthorized occurrence on or conducted through our information systems that may result in adverse effects on the confidentiality, integrity, or availability of our information systems or any information residing therein. Key elements of our cybersecurity risk management strategy include: We require an annual Service Organization Control 2 Type 1 report from all third-party providers attesting to the presence of security processes. Additionally, we require that SaaS/PaaS providers perform risk assessments and manage the security risks associated with their services. We have established and maintain a comprehensive incident response plan designed to address our response to a cybersecurity incident. We conduct regular training scenarios to test these plans and ensure personnel are familiar with their roles in a response scenario. We provide regular, mandatory training for employees regarding cybersecurity threats as a means to equip our employees with effective tools to address cybersecurity threats, and to communicate our evolving information security policies, standards, processes and practices. We use a third party to conduct a periodic assessment of our cybersecurity risk posture and maturity against the NIST Cybersecurity Framework. The results are evaluated by management and the Audit Committee and are used to adjust our cybersecurity policies, standards, processes and practices as necessary. The company studies and evaluates threats in cyber landscape and aims to regularly improve our risk posture by learning from those lessons. Our audit committee receives quarterly presentations and reports on developments in the cybersecurity space, including risk management practices, recent developments, vulnerability assessments, third-party and independent reviews, the threat environment, and information security issues encountered by other public companies. The Director of IT acts as the Incident Manager and meets regularly with our Incident Response Team, including members of Financial Risk Management, IT Security and Human Resources senior management to discuss the necessary measures to take prior to and during an incident. In the event of an incident, the Incident Manager meets regularly with the executive leadership team and keeps them apprised of the status of any incident during the incident response. Our Board and the audit committee also receive prompt and timely information from the Director of IT and executive leadership regarding any cybersecurity risks that meet certain reporting thresholds, as well as ongoing updates regarding any such risk. Finally, the Incident Response Manager briefs corporate leadership on lessons learned from the incident during or after the recovery phase. The Director of IT, in collaboration with a team of IT professionals, our legal counsel and Human Resources, are tasked with implementing a program designed to protect our information systems from cybersecurity threats and manage material risks. The Director of IT has served in various roles in information technology and information security for over 20 years. The Director of IT and senior management are informed about and monitor the prevention, detection, mitigation and remediation of cybersecurity threats and incidents in real time and report such threats and incidents to the audit committee when appropriate. Risks from cybersecurity threats, including as a result of any previous cybersecurity incidents, have not materially affected and are not reasonably likely to materially affect our company, including our business strategy, results of operations, or financial condition as of December 31, 2023. For more information, please see the risk factor disclosures included in Item 1A of this Annual Report on Form 10-K. 114

Company Information