Replimune Group, Inc. 10-K Cybersecurity GRC - 2025-05-22

Page last updated on May 26, 2025

Replimune Group, Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-05-22 17:12:09 EDT.

Filings

10-K filed on 2025-05-22

Replimune Group, Inc. filed a 10-K at 2025-05-22 17:12:09 EDT
Accession Number: 0001737953-25-000009

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity We have policies, procedures, and processes for assessing, identifying, and managing cybersecurity risks, which are built into our overall information technology function and information about cybersecurity risks and our risk management processes is collected, analyzed and considered as part of our overall risk management program. Such policies, procedures, and processes are designed to help protect our information assets and operations from internal and external cyber threats as well as secure our networks and systems. Such processes include procedural and technical safeguards, response plans, regular vulnerability and penetration tests on our systems and product applications, incident simulations, and routine review of our policies and procedures to identify risks and improve our practices. Our security incident response plan is designed to help coordinate our response to, and recovery from, cybersecurity incidents, and includes processes to assess the severity of, escalate, contain, investigate, and remediate incidents as well as to comply with applicable legal obligations. We maintain cyber insurance coverage; however, such insurance may not be sufficient in type or amount to cover us against claims related to security breaches, cyber-attacks, and other related breaches. We engage certain external parties, including cybersecurity assessors, consultants and auditors, to enhance our cybersecurity processes and strategies. In addition, depending on the nature of the services provided, the sensitivity and quantity of information processed, and the identity of the service provider, we evaluate the security and risk posture with respect to our third party service providers according to the perceived level of risk and in accordance based on industry standard best practices. Our audit committee of the Board of Directors provides direct oversight over cybersecurity risk and provides applicable updates to the Board of Directors regarding such oversight. Members of management responsible for data privacy, technology, and information security risks join our audit committee meetings from time to time to discuss these risks, risk management activities, incident response plans, best practices, the effectiveness of our security measures, and other related matters. Our Chief Information Officer , who reports to our Chief Financial Officer, leads the operational oversight of company-wide cybersecurity strategy, policy, standards, and processes and works across relevant departments to assess and help prepare us and our employees to address cybersecurity risks. Specific cybersecurity related responsibilities include overseeing our processes and strategies for the detection, mitigation, and remediation of cybersecurity incidents. Our Chief Information Officer has extensive experience assessing and managing cybersecurity and risk programs having served in relevant positions of increasing responsibility for over 25 years at several private and public companies. In an effort to deter and detect cyber threats, we provide all employees with routine response and prevention training, which covers timely and relevant topics, including social engineering, phishing, password protection, confidential data protection, asset use, and mobile security, and educates employees on the importance of reporting all incidents promptly. We also use technology-based tools to mitigate cybersecurity threats and risks and to bolster our employee-based cybersecurity programs. At this time, we have not identified risks from known cybersecurity threats, including as a result of any prior cybersecurity incidents, that have materially affected us, including our operations, business strategy, results of operations, or financial condition. We face certain ongoing risks from cybersecurity threats that, if realized, are reasonably likely to materially affect us, including our operations, business strategy, results of operations, or financial condition. Despite our cybersecurity efforts, we may not be successful in preventing or mitigating a cybersecurity incident that could materially affect us. See Part I, Item 1A, Risk Factors, in this Annual Report for a discussion of cybersecurity risks.

Company Information