XML 20 R10.htm IDEA: XBRL DOCUMENT v3.25.0.1
Cybersecurity Risk Management, Strategy, and Governance
 12 Months Ended
Dec. 31, 2024
Cybersecurity Risk Management, Strategy, and Governance [Line Items]  
Cybersecurity Risk Management Processes for Assessing, Identifying, and Managing Threats [Text Block]

ITEM 1C. CYBERSECURITY

We believe cybersecurity is critical to advancing our technological developments. As a biopharmaceutical company, we face a multitude of cybersecurity threats common to most industries, such as ransomware and denial of service. Our customers, suppliers, subcontractors, and business partners face similar cybersecurity threats, and a cybersecurity incident impacting us or any of these entities could materially adversely affect our business strategy, performance, and results of operations. These cybersecurity threats and related risks make it imperative that we expend resources on cybersecurity.

Risk Management

We engage third-party services to conduct evaluations of our security controls, whether through penetration testing, independent audits, or consulting on best practices to address new challenges. We have established cybersecurity security awareness training and ongoing monitoring.

In the event of an incident, we intend to follow our cybersecurity incident response plan, which outlines the steps to be followed from incident detection to mitigation, and notification. We contract with external firms that have extensive information technology and program management experience. We have implemented a governance structure and processes to assess, identify, manage, and report cybersecurity risks. As a biopharmaceutical company, we must comply with extensive regulations, including requirements imposed by the Federal Drug Administration related to adequately safeguarding patient information and reporting cybersecurity incidents to the SEC. In addition to following SEC guidance and implementing pre-existing third party frameworks, we have developed our own practices and frameworks, which we believe enhance our ability to identify and manage cybersecurity risks. Assessing, identifying, and managing cybersecurity related risks are factored into our overall business approach. We rely heavily on our supply chain to deliver our products and services, and a cybersecurity incident at a clinical site, subcontractor, or business partner could materially adversely impact us. We require that our subcontractors report cybersecurity incidents to our IT Incident Response Coordinator who will investigate the direct impact of the incident. Once a potential incident has been confirmed, the Incident Response Coordinator will notify senior management that activation of the incident response plan is required and assign a severity rating, ranging from none to critical, based on the perceived impact.

Governance

The Audit Committee has oversight responsibility for risks and incidents relating to cybersecurity threats, including compliance with disclosure requirements, cooperation with law enforcement, and related effects on financial and other risks, and it reports any findings and recommendations, as appropriate, to the full Board for consideration. Senior management regularly discusses cyber risks and trends and, should they arise, any material incidents with the Audit Committee.

Our Information Technology Lead is responsible for the strategic leadership and day-to-day management of our cybersecurity risk management program. The individual is working in that role for more than 10 years for the company. We also engaged with third-party IT service providers, who specialize in the field of cybersecurity risk management, for targeted employee training and system risk assessments.

While we have not experienced any material cybersecurity threats or incidents in recent years, there can be no guarantee that we will not be the subject of future threats or incidents. Notwithstanding the extensive approach we take to cybersecurity, we may not be successful in preventing or mitigating a cybersecurity incident that could have a material adverse effect on us. While we maintain cybersecurity insurance, the costs related to cybersecurity threats or disruptions may not be fully insured. See “Risk Factors” for a discussion of cybersecurity risks.
Cybersecurity Risk Management Processes Integrated [Flag] true
Cybersecurity Risk Management Processes Integrated [Text Block]

We engage third-party services to conduct evaluations of our security controls, whether through penetration testing, independent audits, or consulting on best practices to address new challenges. We have established cybersecurity security awareness training and ongoing monitoring.

In the event of an incident, we intend to follow our cybersecurity incident response plan, which outlines the steps to be followed from incident detection to mitigation, and notification. We contract with external firms that have extensive information technology and program management experience. We have implemented a governance structure and processes to assess, identify, manage, and report cybersecurity risks. As a biopharmaceutical company, we must comply with extensive regulations, including requirements imposed by the Federal Drug Administration related to adequately safeguarding patient information and reporting cybersecurity incidents to the SEC. In addition to following SEC guidance and implementing pre-existing third party frameworks, we have developed our own practices and frameworks, which we believe enhance our ability to identify and manage cybersecurity risks. Assessing, identifying, and managing cybersecurity related risks are factored into our overall business approach. We rely heavily on our supply chain to deliver our products and services, and a cybersecurity incident at a clinical site, subcontractor, or business partner could materially adversely impact us. We require that our subcontractors report cybersecurity incidents to our IT Incident Response Coordinator who will investigate the direct impact of the incident. Once a potential incident has been confirmed, the Incident Response Coordinator will notify senior management that activation of the incident response plan is required and assign a severity rating, ranging from none to critical, based on the perceived impact.

Cybersecurity Risk Management Third Party Engaged [Flag] true
Cybersecurity Risk Third Party Oversight and Identification Processes [Flag] true
Cybersecurity Risk Materially Affected or Reasonably Likely to Materially Affect Registrant [Flag] true
Cybersecurity Risk Materially Affected or Reasonably Likely to Materially Affect Registrant [Text Block] We rely heavily on our supply chain to deliver our products and services, and a cybersecurity incident at a clinical site, subcontractor, or business partner could materially adversely impact us. We require that our subcontractors report cybersecurity incidents to our IT Incident Response Coordinator who will investigate the direct impact of the incident. Once a potential incident has been confirmed, the Incident Response Coordinator will notify senior management that activation of the incident response plan is required and assign a severity rating, ranging from none to critical, based on the perceived impact.
Cybersecurity Risk Board of Directors Oversight [Text Block]

The Audit Committee has oversight responsibility for risks and incidents relating to cybersecurity threats, including compliance with disclosure requirements, cooperation with law enforcement, and related effects on financial and other risks, and it reports any findings and recommendations, as appropriate, to the full Board for consideration. Senior management regularly discusses cyber risks and trends and, should they arise, any material incidents with the Audit Committee.

Cybersecurity Risk Board Committee or Subcommittee Responsible for Oversight [Text Block] The Audit Committee has oversight responsibility for risks and incidents relating to cybersecurity threats, including compliance with disclosure requirements, cooperation with law enforcement, and related effects on financial and other risks
Cybersecurity Risk Process for Informing Board Committee or Subcommittee Responsible for Oversight [Text Block] Senior management regularly discusses cyber risks and trends and, should they arise, any material incidents with the Audit Committee.
Cybersecurity Risk Role of Management [Text Block]

The Audit Committee has oversight responsibility for risks and incidents relating to cybersecurity threats, including compliance with disclosure requirements, cooperation with law enforcement, and related effects on financial and other risks, and it reports any findings and recommendations, as appropriate, to the full Board for consideration. Senior management regularly discusses cyber risks and trends and, should they arise, any material incidents with the Audit Committee.

Our Information Technology Lead is responsible for the strategic leadership and day-to-day management of our cybersecurity risk management program. The individual is working in that role for more than 10 years for the company. We also engaged with third-party IT service providers, who specialize in the field of cybersecurity risk management, for targeted employee training and system risk assessments.

While we have not experienced any material cybersecurity threats or incidents in recent years, there can be no guarantee that we will not be the subject of future threats or incidents. Notwithstanding the extensive approach we take to cybersecurity, we may not be successful in preventing or mitigating a cybersecurity incident that could have a material adverse effect on us. While we maintain cybersecurity insurance, the costs related to cybersecurity threats or disruptions may not be fully insured. See “Risk Factors” for a discussion of cybersecurity risks.
Cybersecurity Risk Management Positions or Committees Responsible [Flag] true
Cybersecurity Risk Management Positions or Committees Responsible [Text Block] Our Information Technology Lead is responsible for the strategic leadership and day-to-day management of our cybersecurity risk management program.
Cybersecurity Risk Management Expertise of Management Responsible [Text Block] The individual is working in that role for more than 10 years for the company. We also engaged with third-party IT service providers, who specialize in the field of cybersecurity risk management, for targeted employee training and system risk assessments.
Cybersecurity Risk Process for Informing Management or Committees Responsible [Text Block]

In the event of an incident, we intend to follow our cybersecurity incident response plan, which outlines the steps to be followed from incident detection to mitigation, and notification. We contract with external firms that have extensive information technology and program management experience. We have implemented a governance structure and processes to assess, identify, manage, and report cybersecurity risks. As a biopharmaceutical company, we must comply with extensive regulations, including requirements imposed by the Federal Drug Administration related to adequately safeguarding patient information and reporting cybersecurity incidents to the SEC. In addition to following SEC guidance and implementing pre-existing third party frameworks, we have developed our own practices and frameworks, which we believe enhance our ability to identify and manage cybersecurity risks. Assessing, identifying, and managing cybersecurity related risks are factored into our overall business approach. We rely heavily on our supply chain to deliver our products and services, and a cybersecurity incident at a clinical site, subcontractor, or business partner could materially adversely impact us. We require that our subcontractors report cybersecurity incidents to our IT Incident Response Coordinator who will investigate the direct impact of the incident. Once a potential incident has been confirmed, the Incident Response Coordinator will notify senior management that activation of the incident response plan is required and assign a severity rating, ranging from none to critical, based on the perceived impact.

Cybersecurity Risk Management Positions or Committees Responsible Report to Board [Flag] true