XML 46 R31.htm IDEA: XBRL DOCUMENT v3.25.0.1
Cybersecurity Risk Management and Strategy Disclosure
 12 Months Ended
Dec. 31, 2024
Cybersecurity Risk Management, Strategy, and Governance [Line Items]  
Cybersecurity Risk Management Processes for Assessing, Identifying, and Managing Threats [Text Block]
We manage material risks from cybersecurity threats through a cross-functional and layered approach that is designed to detect, identify, respond to, recover from and protect from cybersecurity incidents and is informed by industry recognized standards.
Our security governance function, which includes key employees who work in Information Security, Legal, and Privacy teams, such as our Chief Information Officer (“CIO”) and Chief Information Security Officer (“CISO”), are responsible for establishing and implementing cybersecurity policies and procedures, which includes developing and updating our enterprise Incident Response Plan (“IRP”), managing incident response, and overseeing any policy exceptions and potential compensating controls.
Additionally, we assess our cybersecurity maturity annually and implement and maintain controls that are designed to evaluate and improve our cybersecurity program, such as vulnerability assessments and penetration tests, as needed. We also execute employee cybersecurity training and awareness programs around various key cybersecurity topics, including reporting incidents, phishing, ransomware, remote working, cloud security, privileged access and removable media.
Our process for assessing, identifying and managing material risks from cybersecurity threats is integrated into our overall risk management process. We have a robust enterprise risk management (“ERM”) program that plays an important role in seeking to manage and address existing and emerging risks, including cybersecurity risks, which are critical to our overall business goals and objectives. The ERM team updates our Chief Executive Officer (“CEO”) and his leadership team on cybersecurity risks as well as their potential impact, likelihood, potential mitigation plan and status.
Cybersecurity Risk Management Processes Integrated [Flag] true
Cybersecurity Risk Management Processes Integrated [Text Block] Our process for assessing, identifying and managing material risks from cybersecurity threats is integrated into our overall risk management process. We have a robust enterprise risk management (“ERM”) program that plays an important role in seeking to manage and address existing and emerging risks, including cybersecurity risks, which are critical to our overall business goals and objectives.
Cybersecurity Risk Management Third Party Engaged [Flag] true
Cybersecurity Risk Third Party Oversight and Identification Processes [Flag] true
Cybersecurity Risk Materially Affected or Reasonably Likely to Materially Affect Registrant [Flag] false
Cybersecurity Risk Board of Directors Oversight [Text Block]
Our Board of Directors plays an important role in overseeing cybersecurity risks. Our Board of Directors has established an oversight structure for monitoring the effectiveness of and risks related to the cybersecurity program. The Audit Committee has been designated by the Board to oversee cybersecurity and information technology risks. The Audit Committee receives quarterly cybersecurity updates from our CISO, and the chair of the Audit Committee meets with the CISO individually on a quarterly basis. These updates often address topics such as ongoing efforts to improve our cybersecurity posture, operational metrics, incident metrics and mitigation actions, and may include key metrics such as those related to cybersecurity maturity, risk reduction, cybersecurity program health, and audit and compliance activities. The Audit Committee updates the Board on its activities at each regularly scheduled Board meeting. Updates related to cybersecurity are provided to the Board on an annual basis as part of an overall ERM update. In addition to this regular reporting, significant cybersecurity events may also be escalated on an as-needed basis through the company’s organizational structure in accordance with the IRP.
Cybersecurity Risk Board Committee or Subcommittee Responsible for Oversight [Text Block] Our Board of Directors plays an important role in overseeing cybersecurity risks. Our Board of Directors has established an oversight structure for monitoring the effectiveness of and risks related to the cybersecurity program.
Cybersecurity Risk Process for Informing Board Committee or Subcommittee Responsible for Oversight [Text Block]
Our Board of Directors plays an important role in overseeing cybersecurity risks. Our Board of Directors has established an oversight structure for monitoring the effectiveness of and risks related to the cybersecurity program. The Audit Committee has been designated by the Board to oversee cybersecurity and information technology risks. The Audit Committee receives quarterly cybersecurity updates from our CISO, and the chair of the Audit Committee meets with the CISO individually on a quarterly basis. These updates often address topics such as ongoing efforts to improve our cybersecurity posture, operational metrics, incident metrics and mitigation actions, and may include key metrics such as those related to cybersecurity maturity, risk reduction, cybersecurity program health, and audit and compliance activities. The Audit Committee updates the Board on its activities at each regularly scheduled Board meeting. Updates related to cybersecurity are provided to the Board on an annual basis as part of an overall ERM update. In addition to this regular reporting, significant cybersecurity events may also be escalated on an as-needed basis through the company’s organizational structure in accordance with the IRP.
Cybersecurity Risk Role of Management [Text Block]
Our CISO, supported by a cross-functional team, has primary responsibility for assessing and managing our cybersecurity program and the related risks. Details of the risk management and escalation processes are discussed in “Cybersecurity Risk Management and Strategy” above. The CISO has over 30 years of IT and cybersecurity experience in large biopharmaceutical, life sciences, financial and technology industries, including over ten years with the company, and is responsible for managing the security architecture, engineering, technology operations, monitoring, incident response, risk, governance, quality and compliance at the company.
The company’s Information Security function is comprised of teams that engage in a range of cybersecurity activities such as security operations, security engineering, data privacy controls, validation, compliance and audit readiness. Leaders of each team are expected to collaborate to help increase visibility of key issues and alignment with strategy. As noted above, the company’s IRP includes standard processes for escalating significant cybersecurity incidents to management, including the CISO. The company’s incident response team also coordinates with external legal advisors, cybersecurity forensic firms, communication specialists, and other outside advisors and experts, as appropriate.
Cybersecurity Risk Management Positions or Committees Responsible [Flag] true
Cybersecurity Risk Management Positions or Committees Responsible [Text Block] Our CISO, supported by a cross-functional team, has primary responsibility for assessing and managing our cybersecurity program and the related risks. Details of the risk management and escalation processes are discussed in “Cybersecurity Risk Management and Strategy” above.
Cybersecurity Risk Management Expertise of Management Responsible [Text Block] The CISO has over 30 years of IT and cybersecurity experience in large biopharmaceutical, life sciences, financial and technology industries, including over ten years with the company, and is responsible for managing the security architecture, engineering, technology operations, monitoring, incident response, risk, governance, quality and compliance at the company.
Cybersecurity Risk Process for Informing Management or Committees Responsible [Text Block] The Audit Committee receives quarterly cybersecurity updates from our CISO, and the chair of the Audit Committee meets with the CISO individually on a quarterly basis. These updates often address topics such as ongoing efforts to improve our cybersecurity posture, operational metrics, incident metrics and mitigation actions, and may include key metrics such as those related to cybersecurity maturity, risk reduction, cybersecurity program health, and audit and compliance activities.
Cybersecurity Risk Management Positions or Committees Responsible Report to Board [Flag] true