MADRIGAL PHARMACEUTICALS, INC. 10-K Cybersecurity GRC - 2026-02-19

Page last updated on February 19, 2026

MADRIGAL PHARMACEUTICALS, INC. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2026-02-19 09:09:16 EST.

Filings

10-K filed on 2026-02-19

MADRIGAL PHARMACEUTICALS, INC. filed a 10-K at 2026-02-19 09:09:16 EST
Accession Number: 0001628280-26-009514

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity We are increasingly dependent on sophisticated software applications and computing infrastructure to conduct key operations. We depend on our own systems, networks, and technology as well as the systems, networks and technology of our contractors, consultants, vendors and other business partners. Cybersecurity Program We rely on a combination of internally-managed systems and third-party technology environments to support our research, clinical, commercial, and corporate operations. As our business has grown, these systems have become increasingly important to our ability to operate effectively. We therefore maintain a cybersecurity program designed to support the resilience of our information systems and help prepare for evolving information security risks. Our program includes administrative, physical, and technical safeguards and is informed by industry frameworks, including the National Institute of Standards and Technology Cybersecurity Framework. We periodically evaluate aspects of our cybersecurity program through risk-based external assessments. We assess cybersecurity risks as part of our broader risk-management processes and consider potential impacts on our operations, financial results and reputation. Cybersecurity training is required when onboarding new employees, and we also provide annual cybersecurity awareness training for employees. We use a risk-based approach with respect to our evaluation and oversight of third-party service providers that takes into account whether such service providers access, process or store our information or support key business operations. Our due diligence activities may include security questionnaires, reviews of available audit reports and other supporting documentation. We also include appropriate security terms in contracts with third-party service providers, where applicable. Process for Assessing, Identifying and Managing Material Risks from Cybersecurity Threats We maintain written information security policies, including an incident response program that outlines processes for identifying, assessing, escalating, and responding to cybersecurity incidents. Designated personnel are responsible for assessing the severity of an incident and associated threat; containing the threat; remediating the threat, including recovery of data and access to systems; and evaluating any applicable legal or regulatory reporting obligations. Our incident response program also provides for post-incident review. We maintain 24/7 security monitoring through a managed detection and response ("MDR") provider. We recently expanded our cybersecurity capabilities by adding contracted personnel dedicated to security operations and incident response. These personnel operate under the direction of our Cybersecurity and Chief Information Security Officer ("CISO") within the cybersecurity program overseen by our Chief Information Officer ("CIO"), and work alongside our MDR provider and other third-party specialists. Governance Management Oversight Overall responsibility for our information technology and cybersecurity functions resides with our CIO . Our CIO has more than 25 years of experience as an information technology ("IT") professional overseeing and supporting IT operations in the biopharmaceutical industry, including several years of experience in cybersecurity. Our CISO has over 25 years of experience in IT and security, including more than a decade in the pharmaceutical sector focused on protecting intellectual property and proprietary data. Our CISO is responsible for the development and execution of our cybersecurity strategy and for overseeing the day-to-day operation of our cybersecurity program, which is carried out by a combination of internal and contracted cybersecurity resources supporting security operations and incident response. In this role, the CISO, together with the CIO, oversees our processes for the prevention, detection, mitigation, and remediation of cybersecurity incidents through established policies, procedures, and reporting mechanisms, and provides regular updates to senior management and the Audit Committee of our Board of Directors (the "Audit Committee"), which oversees cybersecurity-related risk. Board Oversight Our Board of Directors has overall responsibility for risk oversight, and the Audit Committee oversees cybersecurity-related risk . The Audit Committee receives reports quarterly, and otherwise as needed, from the CISO and CIO and reviews cybersecurity matters with management, including our cybersecurity risk profile and the steps taken to monitor and mitigate cybersecurity risks. Cybersecurity Risks We assess cybersecurity risks as part of our broader risk-management processes and consider potential impacts on our operations, financial results, and reputation. We also maintain cybersecurity insurance providing coverage for certain costs related to cybersecurity incidents that impact our systems, networks and technology. While we believe we maintain an effective cybersecurity program, the techniques used to infiltrate IT systems continue to evolve. Accordingly, we may not be able to timely detect threats or anticipate and implement adequate security measures. To date, there have not been any risks from cybersecurity threats, including as a result of any cybersecurity incidents, which have materially affected or are reasonably likely to materially affect us, including our business strategy, results of operations or financial condition. See the section titled "Risk Factors-General Risk Factors-A failure of our information technology infrastructure and cybersecurity threats may adversely affect our business and operations." in this Annual Report for more information.

Company Information