Relay Therapeutics, Inc. 10-K Cybersecurity GRC - 2026-02-26

Page last updated on February 26, 2026

Relay Therapeutics, Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2026-02-26 16:16:01 EST.

Filings

10-K filed on 2026-02-26

Relay Therapeutics, Inc. filed a 10-K at 2026-02-26 16:16:01 EST
Accession Number: 0001193125-26-076739

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybe rsecurity. Cyber Risk Management and Strategy We have implemented and maintain a cybersecurity risk management program that is aligned with the National Institute of Standards and Technology Cybersecurity Framework and includes processes for the identification, assessment, and mitigation of cybersecurity risks. This process is overseen by the Director of Development Operations, or the IT Director. It includes periodic security assessments, audits, and testing conducted internally and supported by targeted engagement with third parties. Our strategy incorporates Zero Trust principles and utilizes defense-in-depth technologies to monitor, identify, and mitigate risks. We supplement our internal capabilities by partnering with a Managed Detection and Response provider to ensure continuous monitoring of our environment. We maintain internal information security policies, including an incident response plan, which are reviewed by or at the direction of the IT Director and are updated periodically to reflect material changes and improvement in our information security practices. We have a process to assess and review the cybersecurity practices of third-party vendors and service providers prior to onboarding and periodically throughout the engagement, including through vendor questionnaires and contractual requirements, as appropriate. Governance Related to Cybersecurity Risks The IT Director oversees the administration of our cybersecurity risk management program and reports to the Senior Director, Head of IT or Senior Director of IT. The IT Director and Senior Director of IT roles are both held by individuals who each have over twenty years of professional information technology, or IT, management experience. T he Senior Director of IT meets regularly with the Audit Committee to report on and discuss information security and technology risks to our business, including our cyber risk management programs, controls, and procedures. The Senior Director of IT and the Audit Committee also conduct a high-level review of the threat landscape facing our business, discuss risk mitigation strategies, and the prioritization of our remediation efforts. The IT Director meets periodically with members of the Relay Information Security Council, or RISC, which is comprised of the Senior Director of IT and senior leaders from various functions, including finance, legal, human resources, corporate development, and research and development. The RISC provides input to the IT Director in connection with proposed cyber strategies as it relates to potential business impacts from new or proposed te chnologies and security solutions across the organization, including implementation strategies designed to address potential risks and disruptions to the business. In the event we or one of our business partners experiences a cybersecurity incident, the RISC is responsible for assisting in evaluating the incident, including whether any disclosure of the incident is required. The Senior Director of IT reports to the Audit Committee on cyber initiatives and implementation resulting from RISC discussions. Through the Audit Committee, the Board of Directors is informed of: (i) security initiatives, (ii) existing and emerging cybersecurity risks, including cybersecurity incidents; and (iii) any disclosure obligations arising from any cybersecurity incidents. The Board of Directors oversees our general risk management strategy and the most significant risks facing our business, and is responsible for ensuring that appropriate risk mitigation strategies are implemented. To date, we have not experienced any cybersecurity threats or incidents that have materially affected or are reasonably likely to materially affect the company and its business strategy, results of operations, and/or financial condition.

Company Information