Crinetics Pharmaceuticals, Inc. 10-K Cybersecurity GRC - 2026-02-26

Page last updated on February 26, 2026

Crinetics Pharmaceuticals, Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2026-02-26 16:25:35 EST.

Filings

10-K filed on 2026-02-26

Crinetics Pharmaceuticals, Inc. filed a 10-K at 2026-02-26 16:25:35 EST
Accession Number: 0001658247-26-000012

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity Risk Management and Strategy Cybersecurity represents a critical component of the Company's overall approach to risk management. The Company's cybersecurity policies, standards and practices follow recognized frameworks established by the National Institute of Standards and Technology, the International Organization for Standardization and other applicable industry standards. The Company generally approaches cybersecurity threats through a cross-functional, multilayered approach, with the specific goals of: (i) identifying, preventing and mitigating cybersecurity threats to the Company; (ii) preserving the confidentiality, security and availability of the information that we collect and store to use in our business; (iii) protecting the Company's intellectual property; (iv) maintaining the confidence of our patients, collaborators, health care providers, and prospective and future customers, clients and business partners; and (v) providing appropriate public disclosure of cybersecurity risks and incidents when required. The Company deploys systems safeguards that are designed to protect the Company's information systems from cybersecurity threats, including firewalls, intrusion prevention and detection systems, anti-malware functionality and access controls, which are evaluated and improved through ongoing vulnerability assessments and cybersecurity threat intelligence. In addition, the Company maintains a comprehensive, risk-based approach to identifying and overseeing cybersecurity risks presented by third parties, including vendors, service providers and other external users of the Company's systems, as well as the systems of third parties that could adversely impact our business in the event of a cybersecurity incident affecting those third-party systems. The Company has established and maintains comprehensive incident response and recovery plans that fully address the Company's response to a cybersecurity incident and the recovery from a cybersecurity incident, and such plans are tested and evaluated on a regular basis. The Company regularly engages third parties to perform assessments on our cybersecurity measures, including information security maturity assessments, audits and independent reviews of our information security control environment and operating effectiveness. The results of such assessments, audits and reviews are reported to the Audit Committee and to the Board through the Audit Committee, and the Company adjusts its cybersecurity policies, standards, processes and practices as necessary based on the information provided by the assessments, audits and reviews. Governance The Board oversees the management of risks from cybersecurity threats through its Audit Committee, which receives periodic presentations and reports on cybersecurity risks and related mitigation efforts. The Audit Committee would also receive prompt and timely information regarding any cybersecurity incident that would meet the applicable established reporting thresholds, as well as ongoing updates regarding such incident until it has been addressed. At least twice each year, the Audit Committee discusses the Company's approach to cybersecurity risk management with the Company's CIO. The Company's CIO oversees the Company's cybersecurity risk-management program and works with business leaders across the organization to identify and manage cybersecurity risks. Multidisciplinary teams throughout the Company are deployed to address cybersecurity threats and to respond to cybersecurity incidents in accordance with the Company's incident response and recovery plans. The Company's CIO has approximately 25 years of technology experience, including more than 20 years in the life sciences industry. He has served as Senior Vice President of Digital & Information Technology and Vice President of IT at multiple biopharmaceutical companies, with responsibility for emerging technologies, digital transformation, and infrastructure and security operations. He holds a Master of Business Administration and a Bachelor of Science in Information Systems and Operations Management from the University of Southern California. He also holds a Cyber Certificate from the National Association of Corporate Directors and a Master Certificate in IT Project Management from The George Washington University. Risks from the cybersecurity threats we have faced to date have not materially affected, and we believe are not reasonably likely to affect, the Company, including its business strategy, results of operations or financial condition. However, due to evolving cybersecurity threats, we may not be able to protect all information systems, and integrating information systems as we acquire new businesses or expand our business may expose us to unexpected liabilities or increase our vulnerability. See " Risk Factors - General risk factors " for additional information about the risks to our business associated with a breach or compromise to our information technology systems.

Company Information