|
Cybersecurity Risk Management and Strategy Disclosure
|12 Months Ended
Dec. 31, 2024
|Cybersecurity Risk Management, Strategy, and Governance [Line Items]
|Cybersecurity Risk Management Processes for Assessing, Identifying, and Managing Threats [Text Block]
|
Avalo’s management and Board of Directors recognize the importance of information security and managing cybersecurity risks across the enterprise. We have strategically designed our robust Information Security Program (the “Program”) to assess, identify, and manage these cybersecurity risks, protect the Company from such risks, and respond to, and recover from, cybersecurity incidents.
The Company’s Information Security Working Group (“ISWG”) is actively engaged in managing cybersecurity risks and overseeing the design, implementation, and evaluation of the Program. The purpose of the ISWG is to define cybersecurity risk tolerance, guide implementation of the Program, monitor Program development and effectiveness, and validate investments in cybersecurity measures and infrastructure. Members of the ISWG include: the Chief Financial Officer, the Chief Legal Officer, the head of the Company’s Human Resource department, the Senior Vice President of Program Management and Corporate Infrastructure, the Senior Vice President of Regulatory and Quality Assurance, and the Company’s head of Information Technology. The group meets semi-annually to review the effectiveness of the Program, discuss any new developments and potential improvements to the Program, and evaluate internal and external security-related events to determine how Avalo can take appropriate steps to mitigate such risks.
|Cybersecurity Risk Management Processes Integrated [Flag]
|true
|Cybersecurity Risk Management Processes Integrated [Text Block]
|
The Company’s Information Security Working Group (“ISWG”) is actively engaged in managing cybersecurity risks and overseeing the design, implementation, and evaluation of the Program. The purpose of the ISWG is to define cybersecurity risk tolerance, guide implementation of the Program, monitor Program development and effectiveness, and validate investments in cybersecurity measures and infrastructure. Members of the ISWG include: the Chief Financial Officer, the Chief Legal Officer, the head of the Company’s Human Resource department, the Senior Vice President of Program Management and Corporate Infrastructure, the Senior Vice President of Regulatory and Quality Assurance, and the Company’s head of Information Technology. The group meets semi-annually to review the effectiveness of the Program, discuss any new developments and potential improvements to the Program, and evaluate internal and external security-related events to determine how Avalo can take appropriate steps to mitigate such risks.
|Cybersecurity Risk Management Third Party Engaged [Flag]
|true
|Cybersecurity Risk Third Party Oversight and Identification Processes [Flag]
|true
|Cybersecurity Risk Materially Affected or Reasonably Likely to Materially Affect Registrant [Flag]
|false
|Cybersecurity Risk Board of Directors Oversight [Text Block]
|
The Audit Committee (the “Committee”) is primarily responsible for oversight of the Program. The Committee is composed of directors with expertise in technology, audit, finance, and compliance, equipping them to effectively oversee the program. Yingping Zhang serves as our Vice President of Information Technology, and she also helps oversee the implementation and effectiveness of the Program as a member of the ISWG. Ms. Zhang graduated from the University of Pittsburgh with a Master of Science in Electrical Engineering and has over thirty years of experience as an information technology professional. Prior to Avalo, Ms. Zhang worked as an Executive Consultant for Insightful Group, the Vice President of Information Technology at Horizon, and the Vice President of Informational Technology and Information Services at Viela Bio, among other positions within biopharma companies. Ms. Zhang reports to Lisa Hegg, Senior Vice President of Program Management and Corporate Infrastructure. Ms. Hegg provides information technology and cybersecurity reports as necessary at meetings of management’s Disclosure Committee, which is communicated quarterly to the Audit Committee, with greater frequency as necessary. Ms. Zhang regularly informs Ms. Hegg, our Chief Executive Officer (CEO) and other members of the leadership team, about the Program, best practices, current cybersecurity threats, the risk landscape, and mitigation strategies. These reports include the following on an as-needed basis: updates on the Program; assessment of the Program; emerging risks or concerns; policies, procedures, and training; and risk mitigation strategies.
The underlying controls of our Program are based on recognized best practices and standards for cybersecurity and information technology, including the National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF). Ms. Zhang is responsible for developing enterprise-wide cybersecurity strategy, architecture, policies, processes, and controls, and is directly responsible for our cybersecurity program.
We use various tools and methodologies to identify, manage, and test for cybersecurity risk on a regular cadence both at the enterprise level and using third-party service providers. These third parties include cybersecurity managed security service providers (MSSPs), consultants, advisors, and auditors, who we engage to evaluate our controls, whether through penetration testing, independent audits, or consulting on best practices to address new threats or challenges. To ensure we use reputable vendors for our information systems, we review and confirm SOC 1 reports for vendors providing critical business services. For vendors handling Avalo’s clinical and manufacturing information, we employ quality agreements and vendor audits to ensure vendor compliance with our Program and all applicable regulatory requirements. We also engaged internal auditors to conduct a walkthrough of our information technology control environment, test our information technology controls, and report to us any findings. External security service firms monitor the Company’s networks at all times, and Company laptops are patched weekly with up-to-date antivirus and real time threat-monitoring protection. Further, we actively engage with key vendors, industry participants, and law enforcement officials as part of our continuing efforts to evaluate and improve our Program.
Our regular interactions with third-party vendors and suppliers pose a cybersecurity risk that could adversely impact our business or employees. We conduct information security assessments before onboarding and upon detection of an increase in risk profile. In addition, we require providers to meet appropriate security requirements, controls and responsibilities and include additional security and privacy addenda to our contracts where applicable.
Internally, our employees are a key part of our Program. All Avalo employees and contractors are required to participate in annual security awareness training, which includes phishing simulations. Company Employees are also trained on policies of information security and acceptable usage of systems, as well as procedures related to electronic record management, and Avalo regularly reviews and updates user accounts and permissions and ensures that only approved applications are installed on Company devices. The Company manages endpoints centrally and content can be deleted remotely in the event of stolen devices or terminated users.
|Cybersecurity Risk Board Committee or Subcommittee Responsible for Oversight [Text Block]
|The Audit Committee (the “Committee”) is primarily responsible for oversight of the Program. The Committee is composed of directors with expertise in technology, audit, finance, and compliance, equipping them to effectively oversee the program.
|Cybersecurity Risk Process for Informing Board Committee or Subcommittee Responsible for Oversight [Text Block]
|
The Company’s Information Security Working Group (“ISWG”) is actively engaged in managing cybersecurity risks and overseeing the design, implementation, and evaluation of the Program. The purpose of the ISWG is to define cybersecurity risk tolerance, guide implementation of the Program, monitor Program development and effectiveness, and validate investments in cybersecurity measures and infrastructure. Members of the ISWG include: the Chief Financial Officer, the Chief Legal Officer, the head of the Company’s Human Resource department, the Senior Vice President of Program Management and Corporate Infrastructure, the Senior Vice President of Regulatory and Quality Assurance, and the Company’s head of Information Technology. The group meets semi-annually to review the effectiveness of the Program, discuss any new developments and potential improvements to the Program, and evaluate internal and external security-related events to determine how Avalo can take appropriate steps to mitigate such risks.
|Cybersecurity Risk Role of Management [Text Block]
|
The underlying controls of our Program are based on recognized best practices and standards for cybersecurity and information technology, including the National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF). Ms. Zhang is responsible for developing enterprise-wide cybersecurity strategy, architecture, policies, processes, and controls, and is directly responsible for our cybersecurity program.We use various tools and methodologies to identify, manage, and test for cybersecurity risk on a regular cadence both at the enterprise level and using third-party service providers. These third parties include cybersecurity managed security service providers (MSSPs), consultants, advisors, and auditors, who we engage to evaluate our controls, whether through penetration testing, independent audits, or consulting on best practices to address new threats or challenges. To ensure we use reputable vendors for our information systems, we review and confirm SOC 1 reports for vendors providing critical business services. For vendors handling Avalo’s clinical and manufacturing information, we employ quality agreements and vendor audits to ensure vendor compliance with our Program and all applicable regulatory requirements. We also engaged internal auditors to conduct a walkthrough of our information technology control environment, test our information technology controls, and report to us any findings. External security service firms monitor the Company’s networks at all times, and Company laptops are patched weekly with up-to-date antivirus and real time threat-monitoring protection. Further, we actively engage with key vendors, industry participants, and law enforcement officials as part of our continuing efforts to evaluate and improve our Program.
|Cybersecurity Risk Management Positions or Committees Responsible [Flag]
|true
|Cybersecurity Risk Management Positions or Committees Responsible [Text Block]
|The Audit Committee (the “Committee”) is primarily responsible for oversight of the Program. The Committee is composed of directors with expertise in technology, audit, finance, and compliance, equipping them to effectively oversee the program.
|Cybersecurity Risk Management Expertise of Management Responsible [Text Block]
|Yingping Zhang serves as our Vice President of Information Technology, and she also helps oversee the implementation and effectiveness of the Program as a member of the ISWG. Ms. Zhang graduated from the University of Pittsburgh with a Master of Science in Electrical Engineering and has over thirty years of experience as an information technology professional. Prior to Avalo, Ms. Zhang worked as an Executive Consultant for Insightful Group, the Vice President of Information Technology at Horizon, and the Vice President of Informational Technology and Information Services at Viela Bio, among other positions within biopharma companies.
|Cybersecurity Risk Process for Informing Management or Committees Responsible [Text Block]
|Ms. Zhang reports to Lisa Hegg, Senior Vice President of Program Management and Corporate Infrastructure. Ms. Hegg provides information technology and cybersecurity reports as necessary at meetings of management’s Disclosure Committee, which is communicated quarterly to the Audit Committee, with greater frequency as necessary. Ms. Zhang regularly informs Ms. Hegg, our Chief Executive Officer (CEO) and other members of the leadership team, about the Program, best practices, current cybersecurity threats, the risk landscape, and mitigation strategies. These reports include the following on an as-needed basis: updates on the Program; assessment of the Program; emerging risks or concerns; policies, procedures, and training; and risk mitigation strategies.
|Cybersecurity Risk Management Positions or Committees Responsible Report to Board [Flag]
|true
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef