Black Diamond Therapeutics, Inc. 10-K Cybersecurity GRC - 2024-03-12

Page last updated on April 11, 2024

Black Diamond Therapeutics, Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-03-12 07:20:40 EDT.

Filings

10-K filed on 2024-03-12

Black Diamond Therapeutics, Inc. filed an 10-K at 2024-03-12 07:20:40 EDT
Accession Number: 0001701541-24-000011

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity Governance Related to Cybersecurity Risks 117 Table of Contents Our board of directors has overall oversight responsibility for our risk management, and delegates its oversight of risk assessment and management guidelines to the audit committee of the board of directors. Members of the audit committee receive annual updates from senior management regarding matters of cybersecurity. These discussions may include updates on management s efforts to address and mitigate cybersecurity risks, cybersecurity incidents (if any), and the status of key information security initiatives. Under the oversight of our Chief Executive Officer (CEO) and executive management team, we have constituted an Information Technology (IT) Steering Committee that has primary responsibility for overseeing our management of cybersecurity risks. The IT Steering Committee is chaired by our Executive Director and Head of Information Technology ( Head of IT ), who reports directly to our Chief Operating Officer and General Counsel. Other members of the IT Steering Committee include representatives from clinical development, technical operations, finance, human resources, business operations and legal. Our Head of IT, working with our third-party cybersecurity firm and the IT Steering Committee, assesses and manages our cybersecurity threat management processes. Our Head of IT has 40 years of information technology experience, including 30 years building and leading teams in the pharmaceutical, biotechnology and chemical industries, and has worked at a variety of institutions to implement, manage, and grow the information technology function, including cybersecurity programs. These entities have included large, publicly-traded companies and smaller startups. His experience also includes developing and maintaining tools and processes to protect internal networks, research and clinical databases, and supplier payment information and financial systems. Under the direction of our Head of IT, we have engaged a third-party cybersecurity firm, which provides cybersecurity support services for governance and security operations. The IT Steering Committee meets regularly, and as circumstances warrant, to discuss and monitor prevention, detection, mitigation and remediation of risks from cybersecurity threats. The Head of IT provides updates to the executive management team, and, as needed, the Audit Committee, on cybersecurity developments. In addition, we have created an IT Security Team to review the results of our cybersecurity assessments and related cybersecurity strategies as well as emerging threats in the cybersecurity landscape. The IT Security Team meets regularly and includes members from our cybersecurity firm and internal IT resources. Cyber Risk Management and Strategy Under the guidance of the IT Steering Committee and Head of IT, we have adopted cybersecurity risk management processes that are designed to address the identification of assets potentially at risk from cybersecurity threats, identification of potential sources of cybersecurity threats, assessment of protections to address cybersecurity threats, and the management of cybersecurity risks. Our cybersecurity firm is responsible for monitoring our information systems and implementing procedures to mitigate cyber risks under the oversight of our Head of IT. The cybersecurity firm keeps the Company apprised of threats in the cybersecurity landscape through various means, including through threat intelligence and research sources, discussions with industry peers, security alerts, and security conferences and events, as appropriate. The cybersecurity firm also manages our network monitoring, designed to identify potential security risks, and conducts regular testing, scanning, and other vulnerability analyses. We previously engaged a third party to conduct an information technology audit, which was informed by industry standards. We have also implemented a process to require employees to complete, upon onboarding and annually, a cybersecurity education program that is designed to raise awareness of cybersecurity threats and risks through training and simulations. We have a process to review security features for adherence to applicable regulatory requirements and financial controls before purchasing certain third party technology or other solutions that involve exposure to the Company s assets or electronic information. From time to time, after the technology is in place, we may also conduct periodic reviews of available security documentation such as audit reporting and certifications. 118 Table of Contents Although, as of the date of this report on Form 10-K, risks from cybersecurity threats have not materially affected, and we do not believe they are reasonably likely to materially affect us, our business strategy, results of operations or financial condition, we could, from time to time, experience threats and security incidents relating to our and our third party vendors information systems. For more information, please see the section entitled Item 1A. Risk Factors.

Company Information