Gamida Cell Ltd. 10-K Cybersecurity GRC - 2024-03-27

Page last updated on April 11, 2024

Gamida Cell Ltd. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-03-27 07:35:28 EDT.

Filings

10-K filed on 2024-03-27

Gamida Cell Ltd. filed an 10-K at 2024-03-27 07:35:28 EDT
Accession Number: 0001213900-24-026229

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity Risk management and strategy We have implemented and maintain various information security processes designed to identify, assess, and manage material risks from cybersecurity threats to our critical computer networks, third party hosted services, communications systems, hardware and software, and our critical data, including intellectual property, confidential information that is proprietary, strategic, or competitive in nature, and clinical trial data , or Information Systems and Data. Our Chief Compliance Officer and Head of Global Information Technology both help identify, assess, and manage the Company s cybersecurity threats and risks. We identify and assess risks from cybersecurity threats by monitoring and evaluating our threat environment using various methods including, for example manual and automated tools, analyzing reports of threats and actors, evaluating threats reported to us, evaluating our and our industry s risk profile, audits, conducting threat assessments, conducting vulnerability assessments, and conducting tabletop incident response exercises. Depending on the environment and systems, we implement and maintain various technical, physical, and organizational measures, processes, standards, and policies designed to manage and mitigate material risks from cybersecurity threats to our Information Systems and Data, including, for example: an incident response plan, disaster recovery plans, risk assessments, network security controls, access controls, systems monitoring, and cybersecurity insurance. Our assessment and management of material risks from cybersecurity threats are integrated into our overall risk management processes. For example, we prioritize and mitigate cybersecurity threats that are more likely to lead to a material impact to our business. We use third-party service providers to assist us from time to time to identify, assess, and manage material risks from cybersecurity threats, including for example professional services firms, including legal counsel and cybersecurity software providers. We use third-party service providers to perform a variety of functions throughout our business, such as hosting companies and contract research organizations. We have a vendor management program to manage cybersecurity risks associated with our use of these providers. The program includes risk assessments for certain vendors and audits. Depending on the nature of the services provided, the sensitivity of the Information Systems and Data at issue, and the identity of the provider, our vendor management process may involve different levels of assessment designed to help identify cybersecurity risks associated with a provider. For a description of the risks from cybersecurity threats that may materially affect us and how they may do so, see our risk factors under Part 1. Item 1A. Risk Factors in this Annual Report on Form 10-K, including If our information technology systems or those third parties upon which we rely or our data, are or were compromised, we could experience adverse consequences resulting from such compromise, including but not limited to regulatory investigations or actions litigation fines and penalties disruptions of our business operations reputational harm loss of revenue or profits loss of customers or sales and other adverse consequences . We utilize information technology for internal and external communications with vendors, clinical sites, banks, investors and shareholders. Loss, disruption or compromise of these systems could significantly impact operations and results. 65 We are not aware of any material cybersecurity violation or occurrence. We believe our efforts toward prevention of such violation or occurrence, including system design and controls, processes and procedures, training and monitoring of system access, limit, but may not prevent unauthorized access to our systems. Other than temporary disruption to operations that may be caused by a cybersecurity breach, we consider cash transactions to be the primary risk for potential loss. We and our financial institution take steps to minimize the risk by requiring multiple levels of authorization and other controls. Governance Our board of directors addresses our cybersecurity risk management as part of its general oversight function. The board of directors Audit Committee are responsible for overseeing our cybersecurity risk management processes, including oversight and mitigation of risks from cybersecurity threats. Our cybersecurity risk assessment and management processes are implemented and maintained by certain members of our management team, including: Josh Patterson, General Counsel and Chief Compliance Officer. Mr. Patterson has over 20 years of experience in legal and risk management at various biotechnology companies. Mr. Patterson has previously served as General Counsel at a large biotechnology company. Kelly Randis, Head of Global Information Technology. Ms. Randis is a seasoned information technology professional with substantial experience in handling cybersecurity matters who has worked at various pharmaceutical companies. Ms. Randis has previously served as the Director for Emerging Technology and Innovation at an international pharmaceutical company. Our management is responsible for hiring appropriate personnel, helping to integrate cybersecurity risk considerations into our overall risk management strategy, and communicating key priorities to relevant personnel. Our management is responsible for approving budgets, helping prepare for cybersecurity incidents, approving cybersecurity processes, and reviewing security assessments and other security-related reports. Our cybersecurity incident response processes are designed to escalate certain cybersecurity incidents to members of management depending on the circumstances, including Mr. Patterson. Ms. Randis works with the Company s incident response team to help the Company mitigate and remediate cybersecurity incidents of which they are notified. In addition, the Company s incident response processes include reporting to the Audit Committee of the board of directors for certain cybersecurity incidents. The board receives regular reports from Ms. Randis concerning our significant cybersecurity threats and risk and the processes we have implemented to address them. The board also receives various reports, summaries or presentations related to cybersecurity threats, risk, and mitigation.

Company Information