ImmunityBio, Inc. 10-K Cybersecurity GRC - 2024-03-19

Page last updated on April 11, 2024

ImmunityBio, Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-03-19 16:31:53 EDT.

Filings

10-K filed on 2024-03-19

ImmunityBio, Inc. filed an 10-K at 2024-03-19 16:31:53 EDT
Accession Number: 0001326110-24-000037

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBERSECURITY. Risk Assessment and Management We regularly assess risks from cybersecurity threats monitor our information systems for potential vulnerabilities and test those systems pursuant to our cybersecurity policies, processes, and practices, which are integrated into our overall risk management program. To protect our information systems from cybersecurity threats, we use various security tools that are designed to help identify, escalate, investigate, resolve, and recover from security incidents in a timely manner. The company has an ERM program to identify, evaluate, and manage risks. Cybersecurity risks are evaluated alongside other critical business risks under the ERM program to align cybersecurity efforts with the company s broader business goals and objectives. We believe that integrating cybersecurity risks into our ERM program fosters a proactive and holistic approach to cybersecurity, which helps safeguard the company s operations, financial condition, and reputation in an ever-evolving threat landscape. The company maintains a cybersecurity program that is designed to identify, protect from, detect, respond to, and recover from cybersecurity threats and risks, and protect the confidentiality, integrity, and availability of its information systems, including the information residing on such systems Cybersecurity threats, including those resulting from any previous cybersecurity incidents, had not materially affected the company, including our business strategy, results of operations, or financial condition. We do not believe that cybersecurity threats resulting from any previous cybersecurity incidents of which we are aware are reasonably likely to materially affect our company. See Item 1A. Risk Factors Our systems, infrastructure or data, or those used by our CROs, CMOs, clinical sites or other contractors or consultants, may or may be perceived to fail or suffer a cyberattack, security breach or other incident, including a breakdown or compromise of the confidentiality, integrity and availability of our system s , network s or data, which could adversely affect the operation of our business and reputation for more information regarding cybersecurity risks and the potential impact on the company. Incident Response The company has a dedicated incident management team responsible for managing and coordinating its cybersecurity incident response efforts. This team also collaborates closely with other teams in identifying, protecting from, detecting, responding to, and recovering from cybersecurity incidents. Cybersecurity incidents that meet certain thresholds are escalated to the executive incident team and cross-functional teams on an as-needed basis for support and guidance. Additionally, this team tracks cybersecurity incidents to help identify and analyze them. The company s incident response team partners with other key stakeholders as appropriate to respond to cybersecurity incidents. The company maintains a cybersecurity and incident response program to prepare for and respond to cybersecurity incidents, which includes standard processes for reporting and escalating cybersecurity incidents to the executive incident team. Additionally, the company conducts at least one incident response test exercise on an annual basis, where members of a cross-functional team engage in a simulated incident scenario. Governance Board Oversight Role Our Board of Directors oversees our risk management process, including as it pertains to cybersecurity risks, directly and through its committees. The Audit Committee (the Committee) of the Board of Directors oversees our cybersecurity and data privacy. The Committee meets periodically to review and discuss with management risks relating to significant cybersecurity matters and concerns involving the company, including information security, data privacy, backup of information systems and related regulatory matters and compliance. The Committee regularly reports to the Board of Directors with respect to the Committee s activities and recommendations, including those relating to cybersecurity matters and concerns. The CIO provides quarterly reports to the Committee on information security matters, including the adequacy and effectiveness of the company s information security policies and practices and the internal controls regarding information security, and notifies the chairperson of the Committee as soon as practicable of significant information security matters and concerns as they arise. 107 Table of Contents Management s Role The company has a dedicated cybersecurity organization within its technology department that focuses on current and emerging cybersecurity matters. The company s cybersecurity function is led by the company s director of information security, who reports to the CIO. The director of information security and CIO (collectively, the Cybersecurity Leaders) are actively involved in assessing and managing cybersecurity risks, and are responsible for implementing cybersecurity policies, programs, procedures, and strategies. The responsibilities and relevant experience of each of the Cybersecurity Leaders are as follows: The CIO provides leadership for the company s technology department. She holds a Bachelor of Science, Communication from Arizona State University, has served in various roles in information technology for over 25 years, holds multiple certifications, and has been actively involved in the information security and cybersecurity domains for over 20 years. The director of information security is responsible for all aspects of cybersecurity across the company s locations and data centers, including security engineering, security operations, incident response, threat intelligence, risk and compliance, and vulnerability management. He holds a Bachelor of Science in Business Administration, Management Information Systems from the University of Arizona, holds various certifications, and has served in various roles in information technology for over 25 years at numerous technology companies and consulting firms. The company s cybersecurity department is comprised of teams that engage in a range of cybersecurity activities such as threat intelligence, security architecture, and incident response. These teams conduct vulnerability management and penetration testing to identify, classify, prioritize, remediate, and mitigate vulnerabilities. Leaders from each team regularly meet with the Cybersecurity Leaders to provide visibility to major issues and seek alignment with strategy. As discussed above, the company s cybersecurity incident response plan includes standard processes for reporting and escalating cybersecurity incidents to senior management. Cybersecurity incidents that meet certain thresholds are escalated to the Cybersecurity Leaders and cross-functional teams on an as-needed basis for support and guidance. The company s incident response team also coordinates with external legal advisors, communication specialists, and other key stakeholders. Use of Third Parties Cybersecurity Service Providers and Third-Party Consultants The company engages cybersecurity consultants and other third parties to assess and enhance its cybersecurity practices. These third parties conduct assessments and penetration testing to identify weaknesses and recommend improvements. Additionally, the company leverages a number of third-party tools and technologies as part of its efforts to enhance cybersecurity functions, including a managed security service provider to augment the company s internal resources, an endpoint detection and response system for continuous monitoring, detection, and response capabilities, and a security information and event management solution to automate real-time threat detection, investigation, and prioritization of high-fidelity alerts. Oversight of Third-Party Service Providers The company also uses third-party service providers to support its operations and many of its technology initiatives, and evaluates its third-party service providers from a cybersecurity risk perspective, which may include an assessment of that service provider s cybersecurity posture or a recommendation of specific mitigation controls. Following such evaluation, the company determines and prioritizes service provider risk based on the potential threat impact and likelihood, and such risk determination drives the level of due diligence and ongoing compliance monitoring required for each service provider. 108 Table of Contents

Company Information