Xencor Inc 10-K Cybersecurity GRC - 2026-02-25

Page last updated on February 25, 2026

Xencor Inc reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2026-02-25 16:02:27 EST.

Filings

10-K filed on 2026-02-25

Xencor Inc filed a 10-K at 2026-02-25 16:02:27 EST
Accession Number: 0001326732-26-000015

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity The Company's management maintains a cybersecurity program, with direct oversight from the Audit Committee (the "Audit Committee") of the Board of Directors (the "Board"), to manage information, data, technology security, and procedures and practices. The cybersecurity program is informed in part by the National Institute of Standards and Technology Cybersecurity Framework (NIST CSF), which provides guidance to help identify, assess, and manage cybersecurity risks relevant to the Company's business. The Company seeks to address material cybersecurity threats through a company-wide approach that addresses the confidentiality, integrity, and availability of the Company's information systems and the information that it collects and stores, by assessing, identifying and managing cybersecurity issues as they arise. Consistent with this approach, the Company applies cybersecurity practices informed by a Zero Trust-aligned security philosophy that emphasizes continuous verification, least-privilege access, and risk-based controls across its information systems. 57 Cybersecurity Risk Management and Strategy The Company maintains a cross-functional, enterprise-wide cybersecurity risk management program that is integrated into its overall risk management framework and operating processes. Cybersecurity risks are evaluated alongside other enterprise risks as part of the Company's broader risk assessment activities, including consideration of their potential impact on the Company's business operations, financial condition, results of operations, and reputation. Senior management is actively involved in identifying, assessing, and managing cybersecurity risks, and the Board, primarily through the Audit Committee, provides oversight of these risks. Identification and Escalation of Cybersecurity Risks : The Company maintains processes and controls designed to identify, assess, and manage cybersecurity threats and incidents that could be material. These processes are intended to enable the timely identification, classification, and escalation of cybersecurity incidents to appropriate levels of management based on the nature, severity, and potential impact of the incident. Management is informed of cybersecurity incidents through defined escalation protocols, which facilitate coordination among information technology, legal, finance, and other relevant functions and support management's evaluation of incident severity, response actions, and disclosure considerations. Significant cybersecurity risks and incidents are reported to the Audit Committee, as appropriate, and the Audit Committee provides oversight of management's response and remediation efforts. Cybersecurity Controls and Monitoring : The Company's cybersecurity program includes administrative, technical, and physical safeguards designed to protect the confidentiality, integrity, and availability of the Company's information systems. These safeguards are supported by ongoing monitoring activities, vulnerability assessments, and cybersecurity threat intelligence, and are periodically evaluated through internal reviews and independent third-party assessments. The results of these activities are reviewed by management and used to inform enhancements to the Company's cybersecurity risk management practices. Incident Response and Recovery : The Company maintains an incident response and recovery plan designed to guide the Company's response to cybersecurity incidents. The plan defines roles and responsibilities, escalation and reporting protocols, coordination with internal and external stakeholders, and post-incident review processes. A cross-functional incident response team, led by the Company's head of Information Technology and including representatives from finance, legal, human resources, corporate communications, and executive leadership, supports the execution of the plan. Management monitors incident response efforts and determines whether any cybersecurity incident is material and requires disclosure, and provides updates to the Audit Committee regarding significant incidents and remediation efforts, as appropriate. Third-Party Risk Management : The Company assesses and manages cybersecurity risks associated with third-party service providers as part of the Company's overall cybersecurity risk management program. Third parties are evaluated using a risk-based approach that considers their access to the Company's systems and data and the criticality of the services provided. Based on assessed risk levels, the Company applies oversight measures commensurate with the level of risk, which may include contractual requirements, assessments, audits, or other assurance activities. Training, Assessment, and Continuous Improvement : The Company provides regular cybersecurity training and awareness programs for employees designed to promote the identification and reporting of cybersecurity threats and reinforce the Company's information security policies and practices. The Company also conducts periodic reviews, testing, and independent assessments of its cybersecurity program. The results of these activities are evaluated by management, reported to the Audit Committee, and used to inform ongoing enhancements to the Company's cybersecurity risk management strategy. Governance The Board, in coordination with the Audit Committee, oversees the Company's risk management and information technology programs, including the management of cybersecurity risks. The Audit Committee receives regular reports and presentations regarding cybersecurity matters, including the Company's risk management practices, recent developments, evolving standards, vulnerability assessments, third-party and independent reviews, the threat environment, technological trends, and information security issues encountered by the Company, its peers, and third parties. The Audit Committee also receives updates regarding significant cybersecurity risks and incidents, as appropriate. On a quarterly basis, the Audit Committee discusses the Company's approach to cybersecurity risk oversight with members of senior management. The Company's head of Information Technology, who has over 30 years of relevant experience in information security, in coordination with senior management, including the Chief Financial Officer, is responsible for managing the Company's cybersecurity risk management program. The head of Information Technology works collaboratively across the Company to implement and maintain processes designed to protect the Company's information systems from cybersecurity threats and to respond to cybersecurity incidents in accordance with the Company's incident response and recovery plans. 58 Cross-functional teams throughout the Company support the cybersecurity program by addressing cybersecurity risks and responding to incidents, and provide relevant information to the head of Information Technology and senior management, who report significant cybersecurity matters to the Audit Committee , as appropriate. Material Effects of Cybersecurity Incidents Risks from cybersecurity threats, including as a result of any previous cybersecurity incidents, have not materially affected the Company's business strategy, results of operations, or financial condition, and are not reasonably likely to materially affect the Company's business strategy, results of operations, or financial condition.

Company Information