XML 20 R11.htm IDEA: XBRL DOCUMENT v3.25.1
Cybersecurity Risk Management, Strategy and Governance
 12 Months Ended
Dec. 31, 2024
Cybersecurity Risk Management, Strategy, and Governance [Line Items]  
Cybersecurity Risk Management Processes for Assessing, Identifying, and Managing Threats [Text Block]

ITEM 1C. CYBERSECURITY

Cybersecurity Governance and Responsibilities

Our Board of Directors recognizes that cybersecurity represents an important component of the Company's overall enterprise risk management (“ERM”). Throughout the year, our Board of Directors and its Committees engage with management to discuss and mitigate a wide range of enterprise risks, including cybersecurity.

We seek to mitigate cybersecurity risks through a cross-functional approach, including our Cybersecurity Committee, focused on preserving the confidentiality, security, and availability of the information that the Company collects and stores by identifying, preventing and mitigating cybersecurity threats and effectively responding to and remediating cybersecurity incidents as and if they occur.

Our Cybersecurity Committee is comprised of information technology, finance, legal, human resources and data privacy employees. It meets regularly to review and oversee the Company’s data security programs, policies, and strategies, including with respect to cybersecurity risk mitigation, business continuity, and business resiliency. Our Cybersecurity Committee (along with the Chief Financial Officer and General Counsel) also reviews, analyzes, and responds to cybersecurity incidents and breaches.

Our Audit Committee of the Board of Directors has the responsibility to review and discuss with management the Company’s guidelines, policies, and governance with respect to financial risk exposures and enterprise risk management (including with respect to cybersecurity) and to regularly report to the full Board. Our Audit Committee also oversees our internal audit department and management’s internal controls over financial reporting, including with respect to cybersecurity. Our Audit Committee receives regular presentations and reports on cybersecurity risks, progress on continued updates to The Company’s cybersecurity procedures, as well as is made aware, on a timely basis, of any cybersecurity incidents deemed significant enough to be raised to their attention by management, as well as ongoing updates regarding any such incident until it has been remediated.

Our head of Information Technology (“IT”) oversees overall cybersecurity management and implements our cybersecurity programs with the IT group, including appropriate risk mitigation strategies, systems, processes, and controls and provides periodic reports to our Audit Committee at least semi-annually. The head of IT holds a Masters in Computer Information Systems and a Bachelor of Science degree in Microbiology, and has served in leadership roles within the pharmaceutical and biotechnology industries for over 25 years, including leading enterprise-wide cybersecurity strategies, regulatory compliance programs, and IT transformation initiatives at leading biopharmaceutical companies. The head of IT has expertise spanning cybersecurity governance, risk management, cloud security, AI-driven cybersecurity enhancements, infrastructure modernization, and enterprise-wide IT resilience. The head of IT plays a key role in aligning cybersecurity frameworks with industry regulations such as SOC compliance, SOX, GxP, and data privacy standards, ensuring a secure and compliant IT environment to support business objectives.

Risk Management and Strategy

We periodically assess and test our cybersecurity procedures. We identify and assess material risks from cybersecurity threats by engaging outside advisors and experts to identify, anticipate, and assess future threats and trends, to perform assessments on our cybersecurity risk and measures to mitigate such risk, including information security maturity assessments of our information security control environment. The results of such assessments and reviews are reported as appropriate to the Cybersecurity Committee and Audit Committee, and we adjust our cybersecurity procedures as necessary based on the information provided by these assessments and reviews.

Cybersecurity Technical Safeguards

We continually invest in information and cybersecurity services and technologies. Technical safeguards are designed to protect the Company's information systems from cybersecurity threats, including firewalls, continuous intrusion detection and response system(s), data leak prevention strategies, enhanced email protection software, antimalware functionality and access controls. These safeguards are evaluated and improved through periodic assessments and review of cybersecurity threat intelligence. We rely on third parties to support its cybersecurity program, including but not limited to email security management, security operations and vulnerability management.

Cybersecurity Incident Response and Recovery Planning

We have established and maintain incident response and data recovery plans that address our response to a cybersecurity incident. Our Cybersecurity Committee and members of the Cyber Security Incident Response Team (which contains additional information technology specialists) regularly test and evaluate the effectiveness of these incident response and data recovery plans. In addition to the incident detection safeguards described above, our cybersecurity policy requires employees and third party vendors to report any and all cybersecurity incidents to our IT department.

Third-Party Risk Management

We maintain a risk-based approach to identifying and overseeing cybersecurity risks presented by third parties, including vendors, service providers and other external users of the Company’s systems, as well as the systems of third parties that could materially impact our business in the event of a cybersecurity incident affecting those third-party systems. Depending on the nature of the services provided, we may conduct different amounts of diligence into the cybersecurity practices of the third party, monitor the third party for cybersecurity issues, and impose contractual obligations relating to privacy and cybersecurity onto the third party.

Education and Awareness

We provide regular (at least annual) training for personnel regarding cybersecurity threats to equip our personnel with effective tools to address cybersecurity threats, and to communicate the Company's evolving information security procedures.

Current Cybersecurity Risk Posture

For an additional description of the risks from cybersecurity threats that may materially affect the Company, see “Risk Factors” in this Annual Report on Form 10-K, including “ If our information technology systems or data, or those of third parties upon which we rely, are or were compromised by a cybersecurity incident, we could experience adverse consequences resulting from such compromise, including but not limited to regulatory investigations or actions; litigation; fines and penalties; disruptions of our business operations; reputational harm; loss of revenue or profits; and other adverse consequences.”
Cybersecurity Risk Management Third Party Engaged [Flag] true
Cybersecurity Risk Third Party Oversight and Identification Processes [Flag] true
Cybersecurity Risk Materially Affected or Reasonably Likely to Materially Affect Registrant [Flag] true
Cybersecurity Risk Materially Affected or Reasonably Likely to Materially Affect Registrant [Text Block]

For an additional description of the risks from cybersecurity threats that may materially affect the Company, see “Risk Factors” in this Annual Report on Form 10-K, including “ If our information technology systems or data, or those of third parties upon which we rely, are or were compromised by a cybersecurity incident, we could experience adverse consequences resulting from such compromise, including but not limited to regulatory investigations or actions; litigation; fines and penalties; disruptions of our business operations; reputational harm; loss of revenue or profits; and other adverse consequences.”
Cybersecurity Risk Board of Directors Oversight [Text Block]

Cybersecurity Governance and Responsibilities

Our Board of Directors recognizes that cybersecurity represents an important component of the Company's overall enterprise risk management (“ERM”). Throughout the year, our Board of Directors and its Committees engage with management to discuss and mitigate a wide range of enterprise risks, including cybersecurity.

We seek to mitigate cybersecurity risks through a cross-functional approach, including our Cybersecurity Committee, focused on preserving the confidentiality, security, and availability of the information that the Company collects and stores by identifying, preventing and mitigating cybersecurity threats and effectively responding to and remediating cybersecurity incidents as and if they occur.

Our Cybersecurity Committee is comprised of information technology, finance, legal, human resources and data privacy employees. It meets regularly to review and oversee the Company’s data security programs, policies, and strategies, including with respect to cybersecurity risk mitigation, business continuity, and business resiliency. Our Cybersecurity Committee (along with the Chief Financial Officer and General Counsel) also reviews, analyzes, and responds to cybersecurity incidents and breaches.

Our Audit Committee of the Board of Directors has the responsibility to review and discuss with management the Company’s guidelines, policies, and governance with respect to financial risk exposures and enterprise risk management (including with respect to cybersecurity) and to regularly report to the full Board. Our Audit Committee also oversees our internal audit department and management’s internal controls over financial reporting, including with respect to cybersecurity. Our Audit Committee receives regular presentations and reports on cybersecurity risks, progress on continued updates to The Company’s cybersecurity procedures, as well as is made aware, on a timely basis, of any cybersecurity incidents deemed significant enough to be raised to their attention by management, as well as ongoing updates regarding any such incident until it has been remediated.

Our head of Information Technology (“IT”) oversees overall cybersecurity management and implements our cybersecurity programs with the IT group, including appropriate risk mitigation strategies, systems, processes, and controls and provides periodic reports to our Audit Committee at least semi-annually. The head of IT holds a Masters in Computer Information Systems and a Bachelor of Science degree in Microbiology, and has served in leadership roles within the pharmaceutical and biotechnology industries for over 25 years, including leading enterprise-wide cybersecurity strategies, regulatory compliance programs, and IT transformation initiatives at leading biopharmaceutical companies. The head of IT has expertise spanning cybersecurity governance, risk management, cloud security, AI-driven cybersecurity enhancements, infrastructure modernization, and enterprise-wide IT resilience. The head of IT plays a key role in aligning cybersecurity frameworks with industry regulations such as SOC compliance, SOX, GxP, and data privacy standards, ensuring a secure and compliant IT environment to support business objectives.

Cybersecurity Risk Board Committee or Subcommittee Responsible for Oversight [Text Block]

We seek to mitigate cybersecurity risks through a cross-functional approach, including our Cybersecurity Committee, focused on preserving the confidentiality, security, and availability of the information that the Company collects and stores by identifying, preventing and mitigating cybersecurity threats and effectively responding to and remediating cybersecurity incidents as and if they occur.

Our Cybersecurity Committee is comprised of information technology, finance, legal, human resources and data privacy employees. It meets regularly to review and oversee the Company’s data security programs, policies, and strategies, including with respect to cybersecurity risk mitigation, business continuity, and business resiliency. Our Cybersecurity Committee (along with the Chief Financial Officer and General Counsel) also reviews, analyzes, and responds to cybersecurity incidents and breaches.

Cybersecurity Risk Process for Informing Board Committee or Subcommittee Responsible for Oversight [Text Block] Our Cybersecurity Committee (along with the Chief Financial Officer and General Counsel) also reviews, analyzes, and responds to cybersecurity incidents and breaches.
Cybersecurity Risk Role of Management [Text Block]

Risk Management and Strategy

We periodically assess and test our cybersecurity procedures. We identify and assess material risks from cybersecurity threats by engaging outside advisors and experts to identify, anticipate, and assess future threats and trends, to perform assessments on our cybersecurity risk and measures to mitigate such risk, including information security maturity assessments of our information security control environment. The results of such assessments and reviews are reported as appropriate to the Cybersecurity Committee and Audit Committee, and we adjust our cybersecurity procedures as necessary based on the information provided by these assessments and reviews.

Cybersecurity Technical Safeguards

We continually invest in information and cybersecurity services and technologies. Technical safeguards are designed to protect the Company's information systems from cybersecurity threats, including firewalls, continuous intrusion detection and response system(s), data leak prevention strategies, enhanced email protection software, antimalware functionality and access controls. These safeguards are evaluated and improved through periodic assessments and review of cybersecurity threat intelligence. We rely on third parties to support its cybersecurity program, including but not limited to email security management, security operations and vulnerability management.

Cybersecurity Incident Response and Recovery Planning

We have established and maintain incident response and data recovery plans that address our response to a cybersecurity incident. Our Cybersecurity Committee and members of the Cyber Security Incident Response Team (which contains additional information technology specialists) regularly test and evaluate the effectiveness of these incident response and data recovery plans. In addition to the incident detection safeguards described above, our cybersecurity policy requires employees and third party vendors to report any and all cybersecurity incidents to our IT department.

Third-Party Risk Management

We maintain a risk-based approach to identifying and overseeing cybersecurity risks presented by third parties, including vendors, service providers and other external users of the Company’s systems, as well as the systems of third parties that could materially impact our business in the event of a cybersecurity incident affecting those third-party systems. Depending on the nature of the services provided, we may conduct different amounts of diligence into the cybersecurity practices of the third party, monitor the third party for cybersecurity issues, and impose contractual obligations relating to privacy and cybersecurity onto the third party.

Education and Awareness

We provide regular (at least annual) training for personnel regarding cybersecurity threats to equip our personnel with effective tools to address cybersecurity threats, and to communicate the Company's evolving information security procedures.

Current Cybersecurity Risk Posture

For an additional description of the risks from cybersecurity threats that may materially affect the Company, see “Risk Factors” in this Annual Report on Form 10-K, including “ If our information technology systems or data, or those of third parties upon which we rely, are or were compromised by a cybersecurity incident, we could experience adverse consequences resulting from such compromise, including but not limited to regulatory investigations or actions; litigation; fines and penalties; disruptions of our business operations; reputational harm; loss of revenue or profits; and other adverse consequences.”
Cybersecurity Risk Management Positions or Committees Responsible [Flag] true
Cybersecurity Risk Management Positions or Committees Responsible [Text Block] Our Audit Committee of the Board of Directors has the responsibility to review and discuss with management the Company’s guidelines, policies, and governance with respect to financial risk exposures and enterprise risk management (including with respect to cybersecurity) and to regularly report to the full Board.
Cybersecurity Risk Management Expertise of Management Responsible [Text Block] The head of IT holds a Masters in Computer Information Systems and a Bachelor of Science degree in Microbiology, and has served in leadership roles within the pharmaceutical and biotechnology industries for over 25 years, including leading enterprise-wide cybersecurity strategies, regulatory compliance programs, and IT transformation initiatives at leading biopharmaceutical companies. The head of IT has expertise spanning cybersecurity governance, risk management, cloud security, AI-driven cybersecurity enhancements, infrastructure modernization, and enterprise-wide IT resilience. The head of IT plays a key role in aligning cybersecurity frameworks with industry regulations such as SOC compliance, SOX, GxP, and data privacy standards, ensuring a secure and compliant IT environment to support business objectives.
Cybersecurity Risk Process for Informing Management or Committees Responsible [Text Block] Our head of Information Technology (“IT”) oversees overall cybersecurity management and implements our cybersecurity programs with the IT group, including appropriate risk mitigation strategies, systems, processes, and controls and provides periodic reports to our Audit Committee at least semi-annually.
Cybersecurity Risk Management Positions or Committees Responsible Report to Board [Flag] true