Sustainability Oversight

Our focus on ethics applies to financial integrity, and we are committed to acting with honesty, integrity and reliability to safeguard our investors and the public’s confidence in Repligen. 

As outlined in our Code of Business Conduct and Ethics, our commitment to financial integrity also encompasses record keeping and financial reporting, gifts and enter­tainment, political and charitable contributions, and government interactions. 

Repligen has a robust set of internal controls to ensure proper accounting and compliance across all locations. With oversight of our Controller, extensive financial and control reviews are conducted to ensure our financial statements align with the U.S. Generally Accepted Accounting Principles (GAAP). These controls are designed in coordination with our internal audit team and Chief Compliance Officer, who is also our CFO, to apply risk-based rankings across the organization and to apply risk mitigation programs as required.

These controls are designed in coordination with our internal audit team and Chief Compliance Officer, who is also our CFO, to apply risk-based rankings across the organization and to apply risk mitigation programs as required.

In addition to internal responsibilities for preparing and presenting complete and accurate financial statements, our independent registered public accounting firm, Ernst & Young LLP, performs an audit of the company’s financial statements in accordance with the standards of the U.S. Public Company Accounting Oversight Board (PCAOB) and issues quarterly and annual audit reports. The Audit Committee oversees and monitors the company’s management and its independent registered public accounting firm throughout the financial reporting process. 

In addition to traditional investor communications and outreach activities, we have a proactive outreach program to engage ESG-focused portfolio managers and analysts. Over time, these conversations have been essential to understanding particular areas of interest from an ESG lens; in combination with customer inputs, these conversations have directly influenced our sustainability strategy and related governance actions.

The ESG outreach program is conducted and managed by our Investor Relations team, at their discretion, to encourage sustainability-centered discussions. The most recent in-depth program was conducted through 2021 and 2022 and focused on our "top 20" institutional shareholders who represented approximately 42% of total shares outstanding. Ten of those top 20, representing approximately 20% of shares outstanding, engaged in the discussions. Several others "had no concerns" and declined to participate.

Less formalized ESG-focused investor engagements were conducted throughout 2023 and 2024. Among these, the most common areas of interest continued to center on where and how the company was positively impacting energy consumption; the status of bioprocessing recycling programs; and actions being taken to support and advance our human capital - all of which are addressed in our 2023 and 2024 corporate sustainability reports.

As of December 31, 2024, according to 13-F filings and our investor contact management database, Repligen shares were held by 88 ESG-dedicated funds, representing 21% of our total shares outstanding. We believe the true representation is somewhat higher, as many of our largest holders’ funds are not defined as ESG-dedicated, although some of those institutions have Sustainability investment mandates for portfolio managers.

Oversight

In 2024, the risk management program continued to advance under the leadership of our interim General Counsel. High-level material risks are reviewed with the Board every six months while the Senior Management team aims to meet every six weeks to track progress on risk areas and update the risk hierarchy, assessing each risk profile and assigning actions to mitigate them. The company conducts periodic risk assessments, including corporate governance audits, to ensure that our policies and guidelines meet top industry standards, align with our peers and consider stakeholder interests.

Reporting and Tracking Risk

During 2024, we conducted thorough robustness checks of our risk tracking and reporting methods to identify opportunities for further improvement. This effort followed a detailed review process conducted in 2022 and a similar robustness check in 2023. As reported in our 2023 corporate sustainability report, we based development of the initial program on widely accepted industry standards and frameworks, as well as in-depth analysis of each business unit and function within the organization.

In the interest of elevating our risk management capabilities, we assessed a variety of risk management tools available on the market, including one we currently use for financial compliance with Sarbanes-Oxley. We ultimately selected this provider’s risk management module and began implementing it in November 2022.

All employees are expected to actively participate in protecting computer equipment and data from security breaches. These threats can come from individuals or organizations attempting to access or restrict company data through methods such as deploying advanced malware and ransomware, sophisticated social engineering tactics, or other unauthorized access attempts targeting company computers, systems, or networks. The goal of these attacks is often to cause significant damage or disruption, making it crucial for everyone to remain vigilant and proactive in safeguarding our digital assets.

In 2024, Repligen maintained a cybersecurity awareness training completion rate above 95%, significantly contributing to the security of the company’s digital assets. This high completion rate is a testament to the company’s commitment to fostering a robust security culture and ensuring all employees have the knowledge and skills necessary to protect sensitive information. The training program has been meticulously designed to cover a wide range of cyber threats, enabling employees to identify and respond to security incidents promptly.

Throughout 2024, we continuously performed artificial intelligence-driven (AIDA) email phishing campaigns. AIDA creates a security-aware culture by regularly challenging users with realistic phishing simulations and providing targeted training. This ongoing engagement keeps security top of mind and helps reduce the risk of successful phishing attacks.

In addition to the AIDA campaigns, Repligen integrated our security awareness platform with the autonomous penetration platform to enhance complexity and successfully execute a phishing breach. This integration yielded several notable outcomes: an enhanced security posture, improved security awareness, and proactive threat mitigation.

We monitor cybersecurity risks around the clock using multiple security platforms and a dedicated Security Operations Center. Repligen adheres to the CIS 20 Controls framework, using key security platforms such as SIEM (Security Information and Event Management), continuous VM (Vulnerability Management), and EDR (Endpoint Detection and Remediation).

The Center for Internet Security (CIS) Top 20 Critical Security Controls is a prioritized set of best practices designed to mitigate the most pervasive and dangerous threats in today’s digital landscape.

Repligen security measures were rigorously validated by a third-party security assessment firm, confirming the strength and effectiveness of our cybersecurity practices. The assessment included comprehensive evaluations of our security protocols, systems, and practices. Key findings highlighted our advanced ability to detect and respond to threats, bolstered by the integration of our security awareness and autonomous penetration platforms. This validation not only underscores our commitment to maintaining a secure digital environment but also enhances stakeholder confidence in our ability to protect sensitive data and systems from evolving cyber threats.

Repligen has established a comprehensive Cyber Incident Response Plan, adhering to a documented framework for managing high-severity security incidents and ensuring coordinated efforts across all company locations. We regularly conduct simulations and exercises at both technical and management levels, integrating external expertise and reviews to enhance all aspects of our cybersecurity program.

To increase awareness around Data Privacy compliance, Repligen implemented a comprehensive training platform that provides engaging and interactive modules tailored to different roles within the organization. This training platform includes regular assessments and real-world scenarios to ensure employees understand the practical implications of the Data Privacy Regulations.

Additionally, Repligen scheduled periodic refresher courses and updates to keep everyone informed about the latest regulatory changes and best practices. We continued to expand our Data Privacy program throughout our APAC region, which directly addressed the China Data Security Law (DSL), China's Private Information Protection Law (PIPL) and China’s Cybersecurity Law (CSL). During 2024, we also updated diverse internal related policies and fully implemented our global Personal Data Protection Policy.

In 2024, Repligen strengthened its security with two key solutions: autonomous penetration testing and digital risk protection.

The autonomous penetration testing solution continuously scans for vulnerabilities, ensuring that potential threats are identified and mitigated in real-time. By automating this process, Repligen reduces the need for manual testing, saving both time and resources, and providing consistent and comprehensive coverage, minimizing the risk of human error and ensuring that even the most subtle vulnerabilities are detected. This allows security teams to focus on more complex tasks while maintaining a strong security posture to protect sensitive data and systems from cyber threats.

The digital risk protection solution actively monitors and mitigates digital threats across online platforms, safeguarding our organization’s reputation and sensitive data. By identifying and addressing risks such as data breaches, phishing attacks, and brand impersonation in real-time, it helps prevent potential financial and reputational damage. Additionally, it provides comprehensive visibility into our digital footprint, enabling more informed decision-making and strategic planning while creating a more resilient and secure digital environment.

To increase awareness around General Data Protection Regulation (GDPR) compliance, Repligen implemented a comprehensive training platform in 2023 that provided engaging and interactive modules tailored to different roles within the organization. This training platform included regular assessments and real-world scenarios to ensure employees understood the practical implications of GDPR. In 2024, Repligen continued to schedule periodic refresher courses and updates to keep employees informed about the latest regulatory changes and best practices. We continued to expand our Data Privacy program throughout our APAC region and updated diverse internal-related policies. Additionally, our global Personal Data Protection Policy continued to be successfully enforced across all sites.

As data privacy overlaps with Artificial Intelligence (AI), Repligen set up diverse AI policies and created an AI Task Force guided by an AI Usage Policy. This commitment to vigilance helps us to maintain readiness for upcoming AI legislation.

Repligen management takes seriously its responsibility for effective internal controls over the company’s financial reporting. As demonstrated in the 2023 report, we added four new sites to complete Phase 5 of our ERP implementation plan, bringing the total number of sites to 18. In 2024 we upgraded the global instance of SAP S/4HANA to the latest version and implemented a separate instance of SAP for our Repligen China site. Phase 6 of our ERP implementation is scheduled for completion by June 2025 and will include our recent acquisitions plus three other sites that focus on R&D and manufacturing.

As in 2023, all major sites and distribution centers operate on the same ERP system. The system has continued to allow for improved controls and enhanced reporting and business capabilities through access to real-time information across multiple sites. The scalability of our ERP system continues to deliver more efficient business processes and strategic planning.