Amylyx Pharmaceuticals, Inc. 10-K Cybersecurity GRC - 2026-03-03

Page last updated on March 3, 2026

Amylyx Pharmaceuticals, Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2026-03-03 07:10:58 EST.

Filings

10-K filed on 2026-03-03

Amylyx Pharmaceuticals, Inc. filed a 10-K at 2026-03-03 07:10:58 EST
Accession Number: 0001193125-26-086645

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity. Risk Management and Strategy We recognize that cybersecurity threats have been increasing in number and severity in the general marketplace and in our industry. In an effort to address the threat landscape, we maintain a cybersecurity risk management strategy that is designed to identify, assess, manage, and address cybersecurity threats that may have a material impact on our business. We maintain a Written Information Security Program that defines our organization's cybersecurity policies and procedures. This covers all aspects of cybersecurity, including but not limited to: - risk management; - incident response; - third party security assessments and data protection agreements, required of all vendors that access, store or process our data; - mandatory security awareness and phishing training through digital microlearning assignments; 91 - acceptable use; - endpoint security; - patch management; - log management; and - backup and recovery. We engage a third-party to conduct a cybersecurity risk assessment on an annual basis, which is informed by the National Institute of Standards and Technology, or NIST, Cybersecurity Framework. We have established a process for our IT security team to track and quantify known IT security risks and our remediation efforts through a cybersecurity risk register. The IT security team meets periodically to review and update the cybersecurity risk register based on feedback across the organization and the findings contained in our NIST-informed annual cybersecurity risk assessment. The IT security team reports on findings on at least an annual basis to the executive leadership team and the board of directors. We face a number of cybersecurity risks in connection with our business. Although such risks have not materially affected, and we do not believe they are reasonably likely to materially affect, our business strategy, results of operations or financial condition, to date, we have, from time to time, experienced threats to and security incidents related to our and our third-party vendors' information systems. For more information about the cybersecurity risks we face, see the risk factor entitled "Cyber-attacks or other failures in our telecommunications or IT systems, or those of our collaborators, CROs, third-party logistics providers, distributors or other contractors or consultants, could result in information theft, data corruption and significant disruption of our business operations" in Item 1A- Risk Factors. Governance of Cybersecurity Risks Our board of directors is responsible for the general oversight of cybersecurity risks and is informed of key updates to our cybersecurity processes by relevant members of our executive leadership team on at least an annual basis. Our executive leadership team meets with our Senior Vice President of Information Technology, along with other members of our IT security team as needed, to discuss cybersecurity matters, such as the emerging cybersecurity threat landscape, significant developments to our cybersecurity processes, and our cybersecurity risk assessments. Senior management is thus kept abreast of the cybersecurity posture and potential risks facing our company. Our cybersecurity incident response process is designed to proactively triage, contain, investigate, mitigate and correct all incidents at the direction of the Senior Vice President of Information Technology. Critical incidents are assessed for materiality, and escalated to the executive leadership team for awareness, direction and approval as needed. Furthermore, significant cybersecurity matters, and strategic risk management decisions are escalated to the board of directors, as needed, to provide oversight and guidance on critical cybersecurity issues. Our IT security team, led by the Senior Director of Information Security, Governance and Architecture, or the Senior Director of ISGA, is responsible for managing and directing the day-to-day information security strategy of the organization, including oversight of our cybersecurity tools , controls and strategies to protect organization assets, networks and data. The Senior Director of ISGA reports to our Senior Vice President of Information Technology. The Senior Director of ISGA routinely reports on cybersecurity risks, projects, and initiatives to the Senior Vice President of Information Technology, who regularly reports to executive management and the audit committee on these matters as described above. The Senior Director of ISGA maintains a Certified Information Systems Security Professionals, or CISSP, certification and has more than two decades of IT security management experience. The IT security team is supported by external vendors that provide managed services for network support, security operations and other IT areas as needed. Our IT security team also meets regularly with our Global Privacy Committee, which oversees our Enterprise Data Protection Program, to coordinate on cybersecurity initiatives and strategy related to protection of personal data. 92

Company Information