Caris Life Sciences, Inc. 10-K Cybersecurity GRC - 2026-03-03

Page last updated on March 3, 2026

Caris Life Sciences, Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2026-03-03 16:09:11 EST.

Filings

10-K filed on 2026-03-03

Caris Life Sciences, Inc. filed a 10-K at 2026-03-03 16:09:11 EST
Accession Number: 0002019410-26-000016

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity Our business model requires that we collect, analyze and store sensitive data including patient health information (including genomic information), insurance information, and other personally identifiable and personal health information. Our business also relies on sensitive intellectual property and other proprietary business information. Cybersecurity and data privacy are important to protecting our proprietary information and maintaining the trust of patients, medical practitioners, business partners, suppliers and employees. Risk Management and Strategy We have established a cybersecurity risk management program designed to identify, assess, and manage risks from cybersecurity threats to the Company's information systems, data, technology assets, and operations. This program is integrated into our overall company-wide risk management and is informed by the National Institute of Standards and Technology Cybersecurity Framework (NIST CSF) 2.0, and is designed to incorporate an emphasis on HIPAA. Risk Assessment Process . We assess Cybersecurity risks based on likelihood and significance of impact, across technical, financial, physical, and regulatory/compliance risks. Our risk criteria focus on the confidentiality, availability, integrity, and privacy of patient data, customer data and business-critical systems. Our policy is to conduct a formal information technology risk assessment and external network and production application penetration tests at least annually. Our in-house team also conducts periodic penetration tests. Risk Response . The Company employs four primary risk response options: mitigate, accept, transfer, or eliminate, and the Company develops risk treatment plans for risks as appropriate. We endeavor to maintain other safeguards that are designed to prevent unauthorized access to our systems, such as two-factor authentication and password complexity requirements, and we also provide mandatory periodic information security training to employees to enhance awareness of information security issues. We maintain defense-in-depth controls for systems and seek to prioritize vulnerability management toward highest impact risk reduction. Third-Party Engagement . We engage third-party security advisors and consultants to conduct independent cybersecurity risk assessments and advise on risk management methods. We also engage third parties for network monitoring and alerting and penetration testing. Third-Party Vendor Risk Management . We have developed and are in the process of implementing a risk management program for vendors who access, process, store, or transmit Company data or systems. Our programs provide for vendors to be classified by risk level and assessed through questionnaires and review of vendor security protocols, and for us to address identified risks as needed through remediation plans and contractual terms. Per our policies, higher-risk vendor relationships are subject to ongoing monitoring and periodic reassessments, including review of SOC 2 (System and Organization Controls 2) or equivalent security reports where applicable. Incident Response . The Company maintains a Cyber Security Incident Response Plan that employs an incident severity classification system that guides response actions and escalation procedures. This plan establishes a Cybersecurity Incident Response Team with defined roles including the direct involvement of our Chief Information Security Officer. The incident response plan is informed by the NIST CSF. Risks and Incidents . As of the date of this filing, we have not identified any cybersecurity risks, nor are we aware that we have experienced cybersecurity incidents, in each case that have materially affected, or are reasonably likely to materially affect, the Company's business strategy, results of operations, or financial condition. However, cybersecurity risks represent an ongoing concern and the threat landscape continues to evolve. While we have implemented controls and procedures to manage these risks, including those described herein, there can be no guarantee that these measures will prevent all cybersecurity incidents. For additional information regarding cybersecurity risks, see "Risk Factors" in Part I, Item 1A of this Form 10-K, in particular the risk factor titled "If our information technology systems or those of third parties with whom we work, or our data are or were compromised, we could experience adverse consequences resulting from such compromise, including but not limited to regulatory investigations or actions, litigation, fines and penalties, disruptions of our business operations, reputational harm, loss of revenue or profits, and other adverse consequences." Governance Board Oversight . The Audit Committee of the Board of Directors has primary board-level responsibility for oversight of the Company's cybersecurity risk management as set forth in its charter. The Audit Committee discusses risk management policies with management and oversees steps taken by management to monitor and control these risks, and generally receives reports on cybersecurity issues from the Chief Information Security Officer twice per year. Our incident response procedures provide for notification of the Board of Directors or of the Audit Committee Chair as appropriate based on determined severity of an incident. Management Role . The Company's Chief Information Security Officer has extensive experience in cybersecurity, incident response and federal law enforcement, and serves as incident commander with leadership responsibility for cybersecurity incident response and oversight of the overall security program. The information security team includes additional members with responsibility for directly leading incident response specifics and for conducting investigations. Reporting and Coordination . The Company provides periodic reports to senior leadership on risk mitigation progress aligned with business priorities. We maintain additional controls to enhance cross-functional coordination, including reports from the Chief Compliance Officer and Chief Information Security Officer to the Audit Committee, notification of the internal audit and legal teams of incidents, engagement of the legal department for incident response and inclusion of representatives from human resources, lab operations, and physical security in the incident response teams to ensure cross-functional coordination during cybersecurity incidents.

Company Information