Arcus Biosciences, Inc. 10-K Cybersecurity GRC - 2026-02-25

Page last updated on February 25, 2026

Arcus Biosciences, Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2026-02-25 16:11:36 EST.

Filings

10-K filed on 2026-02-25

Arcus Biosciences, Inc. filed a 10-K at 2026-02-25 16:11:36 EST
Accession Number: 0001724521-26-000009

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity Risk management and strategy We have implemented and maintain a cybersecurity program that includes various processes designed to identify, assess and manage material risks from cybersecurity threats to our critical computer networks, third-party hosted services, communications systems, hardware and software (collectively, "Information Systems"), and our critical data, including clinical trial and candidate data, intellectual property, and confidential information that is proprietary, strategic or competitive in nature (collectively with Information Systems, "Information Systems and Data"). Our program is designed and assessed using the National Institute of Standards and Technology Cybersecurity Framework ("NIST CSF"), which guides our approach to identifying, assessing, and managing material cybersecurity risks relevant to our business. While we use this framework to inform our cybersecurity practices, this does not imply compliance with any particular technical standards, specifications, or requirements. Under this framework, our information security function, led by our Chief Information Officer, helps to identify, assess and manage the Company's cybersecurity threats and risks. Key elements of our cybersecurity risk management program include but are not limited to the following efforts. We conduct assessments to help identify and assess material risks from cybersecurity threats to our critical systems and information. We monitor and evaluate our threat environment using various methods including, for example deploying automated tools in certain environments, subscribing to and analyzing reports and services that identify certain cybersecurity threats, conducting scans of certain aspects of our threat environment, evaluating certain threats that are reported to us, conducting internal and external audits and internal threat assessment of certain environments, engaging third parties to conduct threat assessments, and conducting vulnerability assessments. We also engage third-party providers, where appropriate, to periodically assess certain of our internal controls and processes for information security. Further, we take certain measures to mitigate cybersecurity risks, including, for example, cybersecurity awareness training for employees and management, periodic testing through simulated "phishing" campaigns (and require remedial training based on results) and the adoption of an incident response plan that includes procedures for responding to cybersecurity incidents, a vulnerability management policy and a business recovery plan. Furthermore, our information security team works with a security committee (the "Security Committee") to manage our cybersecurity risk management processes, our security controls, and our response to cybersecurity incidents. We use third-party service providers to perform a variety of functions throughout our business, such as CROs and CMOs. Under our information security function, we perform risk and security assessments for certain key vendors that involves a review of the vendor's written security program. Depending on the nature of the services provided, the vendor's criticality to our operations and the vendor's respective risk profile, our vendor management process may involve different levels of assessment designed to help identify cybersecurity risks associated with a provider and we may impose contractual obligations related to cybersecurity on the vendor. We have not identified risks from known cybersecurity threats, including as a result of any prior cybersecurity incidents, that have materially affected us, including our operations, business strategy, results of operations, or financial condition. We face risks from cybersecurity threats that, if realized, are reasonably likely to materially affect us, including our operations, business strategy, results of operations, or financial condition. For a description of the risks from cybersecurity threats that may materially affect the Company and how they may do so, please see "Risk Factors - Our internal information technology systems, and those of our third-party CROs and other third parties upon which we rely, are subject to failure, security breaches and other disruptions, which could result in a material disruption of our investigational products' development programs, jeopardize sensitive information, prevent us from accessing critical information or result in a loss of our assets, and potentially expose us to notification obligations, loss, liability or reputational damage and otherwise adversely affect our business." in Part I, Item 1A herein. Governance Our board of directors considers cybersecurity risk management as part of its general oversight function and has delegated to the Audit Committee oversight of cybersecurity risks, including oversight of management's implementation of our cybersecurity risk management programs. The Audit Committee receives periodic reports from management, specifically our Chief Information Officer ("CIO") , on our information security program and cybersecurity risks. In addition, management updates the Audit Committee, where it deems appropriate, regarding any cybersecurity incidents it considers to be significant or potentially significant. Our CIO chairs our Security Committee, which helps to identify, assess and manage our material cybersecurity threats and risks. Our CIO has over 20 years of strategic and operational IT/cybersecurity leadership experience and multiple cybersecurity certifications, from leading security organizations, such as (ISC)2, Cloud Security Alliance, Cisco Security, Microsoft Security. Our management team takes steps to stay informed about and monitor efforts to prevent, detect, mitigate, and remediate cybersecurity risks and incidents through various means, which may include: briefings from internal personnel; threat intelligence and other information obtained from public or private sources, including external consultants engaged by us; and alerts and reports produced by security tools deployed in our IT environment.

Company Information