Oversight

We believe that Twist has a significant responsibility to protect the digital information of our customers and employees. Twist Bioscience follows the guidance of national and international agencies in making cybersecurity an important tenet of our overarching operations. Our cybersecurity program, like our Quality and Biosecurity programs, is built upon the foundation of international standards and is overseen by experts in the field and rigorously and continuously scrutinized.

Strategy

The core of our cybersecurity program is our Information Security Management System (ISMS). As a ISO 27001-certified company, Twist Bioscience is audited by an accredited, independent certification body each year to make sure that all working parts of our ISMS—our People, our Processes, and our Technology—comply with the standard. Our Board of Directors oversees all cybersecurity efforts at the highest level of the company.

People 

• All company employees, whether full-time, part-time, consultant, or contractor, are trained in our Cybersecurity Awareness program. The program includes yearly training, quarterly testing, and a weekly informational campaign to keep digital safety high in our team’s consciousness.
• Our Executive Leadership Team (ELT), Audit Committee (AC), and Product Approval Committee (PAC) are all regularly briefed on the company’s cybersecurity posture and provide guidance on strategy and priorities.
• Employee background checks are performed, roles and responsibilities are clearly delineated, a strict philosophy of least privilege governs access control, and segregation of duties is built into our policies.
• External partnerships with compliance experts, penetration testers, security operation center teams, law firms specializing in cybersecurity, and national and global agencies including the Center for Internet Security (CIS), MITRE, United States Computer Emergency Readiness Team (US-CERT), Cybersecurity and Infrastructure Security Agency (CISA), and the FBI.

Process 

• Annual audits and re-certification for ISO 27001 to ensure data protection practices comply with applicable laws and cybersecurity best practices.
• Annual risk assessment run by ISMS team and sponsored by an ELT representative.
• Annual penetration testing performed by an accredited, thirdparty agency.
• Continuous vulnerability scanning and mitigation both in our code and in our services.
• Regular access control reviews for all critical systems.
• Incident Response, Business Continuity, and Disaster Recovery policies and procedures to deal with cybersecurity incidents or natural disasters.
• Supply chain management with vendor selection security assessments and vendor assessments.
• Company privacy policy and privacy practices which align with applicable data protection laws and regulations, including General Data Protection Regulation (GDPR) and California Consumer Privacy Act (CCPA).

Screening of Sequences and Customers

In order to avoid synthesis of potentially dangerous sequences, Twist Bioscience has implemented a comprehensive screening program. All double-stranded DNA sequences ordered are screened to identify whether they originate from an organism or toxin that is domestically or internationally controlled for possession. These controlled organisms or toxins include smallpox, dangerous strains of avian influenza, and other pathogens that pose a significant threat to animal, plant, or human health. Controlled organisms and toxins are highly regulated, and possession is restricted.


If a controlled sequence (or a portion thereof) is detected during screening, Twist Bioscience contacts the customer to verify customer identity, their intended use for the sequences, past publication record on similar research, and ensure that any required licenses are issued before shipment.


Moreover, Twist Bioscience uses various government lists, such as the U.S. Treasury Specially Designated Nationals list, the U.S. State Department Denied Parties List, and the Department of Commerce Entity List, to screen each customer, ensuring that synthetic DNA is not sold to potentially dangerous individuals or organizations. Additionally, Twist confirms the validity of each organization to which they sell and requires that customers agree not to resell synthetic DNA produced by Twist Bioscience unless they have been licensed to do so under a specific contract. Lastly, Twist Bioscience only ships synthetic DNA to valid commercial addresses and will not ship to a residential address or a P.O. Box.

Our biosecurity program includes participation in national and international initiatives to enhance algorithms, metadata, and tools used by researchers to assess potential biological risks posed by specific DNA and protein sequences. Twist understands the importance of advancing biosecurity as a core technology provider and strives to contribute to a safe biotechnology environment. The company has engaged and collaborated with governments, academic institutions, international non-governmental organizations and other DNA synthesis providers to develop a set of consistent biosecurity best practices. As the field of synthetic biology continues to evolve, Twist remains active in writing the biosecurity playbook, to ensure that appropriate safeguards are in place.