Autolus Therapeutics plc 10-K Cybersecurity GRC - 2024-03-21

Page last updated on April 11, 2024

Autolus Therapeutics plc reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-03-21 16:55:59 EDT.

Filings

10-K filed on 2024-03-21

Autolus Therapeutics plc filed an 10-K at 2024-03-21 16:55:59 EDT
Accession Number: 0001730463-24-000048

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity Risk management and strategy Our information security function is led by our Executive Director of Global IT Operations ( Head of IT ), whose team is responsible for leading enterprise-wide cybersecurity strategy, policy, standards, architecture, and processes. The information security function identifies and assesses risks from cybersecurity threats by monitoring and evaluating our threat environment and our risk profile using various methods including, for example, manual tools and automated tools, conducting scans of the threat environment, evaluating our and our industry s risk profile, evaluating threats reported to us, internal and external audits, leveraging third party threat assessments, and conducting vulnerabilities assessments. In addition, our employees and contractors receive periodic training under our IT security policies, including simulated intrusion attempts, and are required to certify compliance with our cybersecurity practices. Depending on the environment or system, we implement and maintain various technical, physical, and organizational measures, processes, standards and policies designed to manage and mitigate material risks from cybersecurity threats to our Information Systems and Data, including, for example: an information security policy, access management procedures, data back-up and restoration policy, cyberattack response procedure, network security controls, data segregation for certain data, encryption of certain data, access controls, physical controls, systems monitoring, penetration testing, employee training, and cybersecurity insurance. Our assessment and management of material risks from cybersecurity threats are integrated into our overall risk management processes. We use third-party service providers to assist us from time to time to identify, assess, and manage material risks from cybersecurity threats, including for example cybersecurity consultants, cybersecurity service providers, and penetration testing services. The results of those assessments and reviews are reported to senior management and the board of directors, including the Audit Committee, by the Head of IT, as appropriate. In addition, updates on our cyber risks and threats, the status of projects to strengthen our information security systems, assessments of the information security program, and the emerging threat landscape may also be reported to senior management and the board of directors, including the Audit Committee, by the Head of IT, as appropriate. Our senior management team and board of directors include several members with operational experience overseeing IT operations, including risk assessment and implementation of security measures. As of the date of this report, we are not aware of any material risks from cybersecurity threats, that have materially affected or are reasonably likely to materially affect us, including our business strategy, results of operations, or financial condition. We use third-party service providers to perform a variety of functions throughout our business, such as CROs, contract manufacturing organizations, and other distributors, including those who process clinical trial data on our behalf. Depending on the nature of the services provided, the sensitivity of the critical systems, information and assets at issue, and the identity of the provider, our third-party risk management process may involve different levels of assessment designed to help identify cybersecurity risks associated with a provider, including, for example, a review of security assessments and imposition of contractual obligations related to cybersecurity on the provider. For a description of the risks from cybersecurity threats that may materially affect us and how they may do so, see our risk factors under Part 1. Item 1A. Risk Factors in this Annual Report, including If our information technology systems or data, or those of third parties upon which we rely, are or were compromised, we could experience adverse consequences resulting from such compromise, including but not limited to regulatory investigations or actions litigation fines and penalties disruptions of our business operations reputational harm loss of revenue or profits and other adverse consequences. Governance Management is responsible for identifying and assessing cybersecurity risks on an ongoing basis, establishing processes designed to ensure that such potential cybersecurity risk exposures are monitored, putting in place appropriate mitigation and remediation measures, and maintaining cybersecurity programs. Our cybersecurity programs are managed under the direction of our Head of IT and monitors the prevention, detection, mitigation, and remediation of cybersecurity risks. Management regularly updates the board of directors on the Company s cybersecurity programs, material cybersecurity risks and mitigation strategies and provides regular cybersecurity updates. Our board of directors has overall oversight responsibility for our risk management and is charged with oversight of our cybersecurity risk management program. The board is responsible for ensuring that management has policies and processes in place designed to identify, monitor, assess and respond to cybersecurity, data privacy and other information technology risks to which the Company is exposed and implement processes and programs to manage cybersecurity risks and mitigate cybersecurity threats and incidents. 96 Tab le o f co ntents

Company Information