|
Cybersecurity Risk Management, Strategy and Governance
|12 Months Ended
Dec. 31, 2024
|Cybersecurity Risk Management, Strategy, and Governance [Line Items]
|Cybersecurity Risk Management Processes for Assessing, Identifying, and Managing Threats [Text Block]
|
Item 16K. Cybersecurity
We recognize the critical importance of maintaining the trust and confidence of patients, business partners and employees toward our business and are committed to protecting the confidentiality, integrity and availability of our business operations and systems. Our board of directors is actively involved in oversight of our risk management activities, and cybersecurity represents an important element of our overall approach to risk management. Our cybersecurity policies, standards, processes and practices are based on recognized frameworks established by the United Kingdom National Cyber Security Centre or NCSC, and other applicable industry standards. In general, we seek to address cybersecurity risks through a comprehensive, cross-functional approach that is focused on preserving the confidentiality, security and availability of the information that we collect and store by identifying, preventing and mitigating cybersecurity threats and effectively responding to cybersecurity incidents when they occur.
Cybersecurity Risk Management and Strategy; Effect of Risk
We face risks related to cybersecurity such as unauthorized access, cybersecurity attacks and other security incidents, including as perpetrated by hackers and unintentional damage or disruption to hardware and software systems, loss of data, and misappropriation of confidential information. To identify and assess material risks from cybersecurity threats, we maintain a comprehensive cybersecurity program and have implemented a Cyber Security Management Team, or CSMT, to ensure our systems are effective and prepared for information security risks, including regular oversight of our programs for security monitoring for internal and external threats to ensure the confidentiality and integrity of our information assets. The CSMT consists of our Director of Operations, Director of Finance, and Senior Vice President of Clinical Operations.
We consider risks from cybersecurity threats alongside other company risks as part of our overall risk assessment process. We employ a range of tools and the services of third-party service providers, including vulnerability assessments, to inform our risk identification and assessment. As discussed in more detail under “Cybersecurity Governance” below, our Audit Committee of our board of directors provides oversight of our CSMT, which leads and conducts our cybersecurity risk management and strategy processes.
We also identify our cybersecurity threat risks by comparing our processes to standards set by the NCSC, as well as by engaging experts to attempt to infiltrate our information systems and conduct risk management assessments. To provide for the availability of critical data and systems, maintain regulatory compliance, manage our material risks from cybersecurity threats, and protect against and respond to cybersecurity incidents, we undertake the following activities:
•
monitor emerging data protection laws and implement changes to our processes that are designed to comply with such laws;
•
through our policies, practices and contracts (as applicable), require employees, as well as third parties that provide services on our behalf, to treat confidential information and data with care;
•
employ technical safeguards that are designed to protect our information systems from cybersecurity threats, including software operating system updates, anti-virus software, multifactor authentication, firewalls, intrusion prevention and detection systems, anti-malware functionality and access controls, which are evaluated and improved through vulnerability assessments and cybersecurity threat intelligence;
•
implement an incident notification and response process to help us identify, protect, detect, respond and recover when there is an actual or potential cybersecurity incident; and
•
employ a software patch and vulnerability management program, including software updates, computer back-up processes, information technology support, and regular third-party vulnerability scans.
Our incident response plan coordinates the activities we take to prepare for, detect, respond to and recover from cybersecurity incidents, which include processes to triage, assess severity for, escalate, contain, investigate and remediate the incident, as well as to comply with potentially applicable legal obligations and mitigate damage to our business and reputation.
As part of the above processes, we regularly engage with consultants and other third parties, including regular third-party review of our cybersecurity program to help identify areas for continued focus, improvement and compliance.
Our processes to address cybersecurity threat risks associated with our use of third-party service providers, including our suppliers and manufacturers who have access to patient and employee data or our systems, include requiring those third parties that could introduce significant cybersecurity risk to us to agree by contract to manage their cybersecurity risks in specified ways, including with respect to processing and transferring personal and patient data. We intend to conduct due diligence of third-party vendors and supplier cybersecurity protocols.
We describe whether and how risks from identified cybersecurity threats, including as a result of any previous cybersecurity incidents, have materially affected or are reasonably likely to materially affect us, including our business strategy, results of operations, or financial condition, under the headings “Our proprietary information, or that of our suppliers and any future collaborators, may be lost or we may suffer security breaches,” “We face regulation and potential liability related to the privacy of health information we obtain from clinical trials sponsored by us or our collaborators,” and “Our business and operations could suffer in the event of information technology and other internal infrastructure system failures,” which disclosures are incorporated by reference herein.
We have not experienced any material cybersecurity incidents and we have not incurred any expenses in relation to cybersecurity incidents. This includes penalties and settlements, of which there were none.
Cybersecurity Governance; Management
Cybersecurity is an important part of our risk management processes and an area of focus for our board of directors and management. In general, our Audit Committee of our board of directors and our executive management oversee our CSMT, which oversees our risk management activities designed and implemented by our management, and considers specific risks, including, for example, risks associated with our strategic plan, business operations, and capital structure. Our Audit Committee of our board of directors and executive management executes its oversight responsibility for risk management both directly and through delegating oversight of certain of these risks to our CSMT, and our board of directors has authorized our Audit Committee and CSMT to oversee risks from cybersecurity threats.
At least quarterly, our Audit Committee receives an update from our CSMT of our cybersecurity threat risk management and strategy processes covering topics such as data security posture, any results from third party assessments, progress towards pre-determined risk-mitigation-related goals, our incident response plan, and material cybersecurity threat risks or incidents and developments, as well as the steps management has taken to respond to such risks. In such sessions, our Audit Committee generally receives materials that include current and emerging material cybersecurity threat risks, describing our ability to mitigate those risks, as well as recent developments, evolving standards, technological developments and information security considerations arising with respect to our peers and third parties. Our Audit Committee and executive management also receive prompt and timely information regarding any cybersecurity incident that meets establishing reporting thresholds, as well as ongoing updates regarding any such incident until it has been addressed.
Members of our Audit Committee and board of directors are also encouraged to regularly engage in conversations with executive management on cybersecurity-related news events and discuss any updates to our cybersecurity risk management and strategy programs. Material cybersecurity threat risks are also considered during separate board of directors' meeting discussions of important matters like enterprise risk management, operational budgeting, business continuity planning, mergers and acquisitions, brand management, and other relevant matters.
Our cybersecurity risk management and strategy processes, which are discussed in greater detail above, are led by our CSMT, which consists of our Director of Operations, Director of Finance, and Senior Vice President of Clinical Operations. Such individuals have collectively over 16 years of prior work experience in various roles involving managing information security, developing cybersecurity strategies, implementing effective information and cybersecurity programs. These team
members are informed about and monitor the prevention, mitigation, detection, and remediation of cybersecurity incidents through their management of, and participation in, the cybersecurity risk management and strategy processes described above, including the operation of our incident response plan. As discussed above, these management team members report to the Audit Committee of our board of directors and executive management about cybersecurity threat risks, among other cybersecurity related matters, on a quarterly basis.
|Cybersecurity Risk Management Processes Integrated [Flag]
|true
|Cybersecurity Risk Management Processes Integrated [Text Block]
|
We recognize the critical importance of maintaining the trust and confidence of patients, business partners and employees toward our business and are committed to protecting the confidentiality, integrity and availability of our business operations and systems. Our board of directors is actively involved in oversight of our risk management activities, and cybersecurity represents an important element of our overall approach to risk management. Our cybersecurity policies, standards, processes and practices are based on recognized frameworks established by the United Kingdom National Cyber Security Centre or NCSC, and other applicable industry standards. In general, we seek to address cybersecurity risks through a comprehensive, cross-functional approach that is focused on preserving the confidentiality, security and availability of the information that we collect and store by identifying, preventing and mitigating cybersecurity threats and effectively responding to cybersecurity incidents when they occur.
|Cybersecurity Risk Management Third Party Engaged [Flag]
|true
|Cybersecurity Risk Third Party Oversight and Identification Processes [Flag]
|true
|Cybersecurity Risk Materially Affected or Reasonably Likely to Materially Affect Registrant [Flag]
|true
|Cybersecurity Risk Materially Affected or Reasonably Likely to Materially Affect Registrant [Text Block]
|
We describe whether and how risks from identified cybersecurity threats, including as a result of any previous cybersecurity incidents, have materially affected or are reasonably likely to materially affect us, including our business strategy, results of operations, or financial condition, under the headings “Our proprietary information, or that of our suppliers and any future collaborators, may be lost or we may suffer security breaches,” “We face regulation and potential liability related to the privacy of health information we obtain from clinical trials sponsored by us or our collaborators,” and “Our business and operations could suffer in the event of information technology and other internal infrastructure system failures,” which disclosures are incorporated by reference herein.
We have not experienced any material cybersecurity incidents and we have not incurred any expenses in relation to cybersecurity incidents. This includes penalties and settlements, of which there were none.
|Cybersecurity Risk Board of Directors Oversight [Text Block]
|
Cybersecurity Governance; Management
Cybersecurity is an important part of our risk management processes and an area of focus for our board of directors and management. In general, our Audit Committee of our board of directors and our executive management oversee our CSMT, which oversees our risk management activities designed and implemented by our management, and considers specific risks, including, for example, risks associated with our strategic plan, business operations, and capital structure. Our Audit Committee of our board of directors and executive management executes its oversight responsibility for risk management both directly and through delegating oversight of certain of these risks to our CSMT, and our board of directors has authorized our Audit Committee and CSMT to oversee risks from cybersecurity threats.
At least quarterly, our Audit Committee receives an update from our CSMT of our cybersecurity threat risk management and strategy processes covering topics such as data security posture, any results from third party assessments, progress towards pre-determined risk-mitigation-related goals, our incident response plan, and material cybersecurity threat risks or incidents and developments, as well as the steps management has taken to respond to such risks. In such sessions, our Audit Committee generally receives materials that include current and emerging material cybersecurity threat risks, describing our ability to mitigate those risks, as well as recent developments, evolving standards, technological developments and information security considerations arising with respect to our peers and third parties. Our Audit Committee and executive management also receive prompt and timely information regarding any cybersecurity incident that meets establishing reporting thresholds, as well as ongoing updates regarding any such incident until it has been addressed.
Members of our Audit Committee and board of directors are also encouraged to regularly engage in conversations with executive management on cybersecurity-related news events and discuss any updates to our cybersecurity risk management and strategy programs. Material cybersecurity threat risks are also considered during separate board of directors' meeting discussions of important matters like enterprise risk management, operational budgeting, business continuity planning, mergers and acquisitions, brand management, and other relevant matters.
Our cybersecurity risk management and strategy processes, which are discussed in greater detail above, are led by our CSMT, which consists of our Director of Operations, Director of Finance, and Senior Vice President of Clinical Operations. Such individuals have collectively over 16 years of prior work experience in various roles involving managing information security, developing cybersecurity strategies, implementing effective information and cybersecurity programs. These team
members are informed about and monitor the prevention, mitigation, detection, and remediation of cybersecurity incidents through their management of, and participation in, the cybersecurity risk management and strategy processes described above, including the operation of our incident response plan. As discussed above, these management team members report to the Audit Committee of our board of directors and executive management about cybersecurity threat risks, among other cybersecurity related matters, on a quarterly basis.
|Cybersecurity Risk Board Committee or Subcommittee Responsible for Oversight [Text Block]
|
Cybersecurity is an important part of our risk management processes and an area of focus for our board of directors and management. In general, our Audit Committee of our board of directors and our executive management oversee our CSMT, which oversees our risk management activities designed and implemented by our management, and considers specific risks, including, for example, risks associated with our strategic plan, business operations, and capital structure. Our Audit Committee of our board of directors and executive management executes its oversight responsibility for risk management both directly and through delegating oversight of certain of these risks to our CSMT, and our board of directors has authorized our Audit Committee and CSMT to oversee risks from cybersecurity threats.
|Cybersecurity Risk Process for Informing Board Committee or Subcommittee Responsible for Oversight [Text Block]
|
At least quarterly, our Audit Committee receives an update from our CSMT of our cybersecurity threat risk management and strategy processes covering topics such as data security posture, any results from third party assessments, progress towards pre-determined risk-mitigation-related goals, our incident response plan, and material cybersecurity threat risks or incidents and developments, as well as the steps management has taken to respond to such risks. In such sessions, our Audit Committee generally receives materials that include current and emerging material cybersecurity threat risks, describing our ability to mitigate those risks, as well as recent developments, evolving standards, technological developments and information security considerations arising with respect to our peers and third parties. Our Audit Committee and executive management also receive prompt and timely information regarding any cybersecurity incident that meets establishing reporting thresholds, as well as ongoing updates regarding any such incident until it has been addressed.
|Cybersecurity Risk Role of Management [Text Block]
|In such sessions, our Audit Committee generally receives materials that include current and emerging material cybersecurity threat risks, describing our ability to mitigate those risks, as well as recent developments, evolving standards, technological developments and information security considerations arising with respect to our peers and third parties.
|Cybersecurity Risk Management Positions or Committees Responsible [Flag]
|true
|Cybersecurity Risk Management Positions or Committees Responsible [Text Block]
|Members of our Audit Committee and board of directors are also encouraged to regularly engage in conversations with executive management on cybersecurity-related news events and discuss any updates to our cybersecurity risk management and strategy programs.
|Cybersecurity Risk Management Expertise of Management Responsible [Text Block]
|
Our cybersecurity risk management and strategy processes, which are discussed in greater detail above, are led by our CSMT, which consists of our Director of Operations, Director of Finance, and Senior Vice President of Clinical Operations. Such individuals have collectively over 16 years of prior work experience in various roles involving managing information security, developing cybersecurity strategies, implementing effective information and cybersecurity programs. These team
members are informed about and monitor the prevention, mitigation, detection, and remediation of cybersecurity incidents through their management of, and participation in, the cybersecurity risk management and strategy processes described above, including the operation of our incident response plan. As discussed above, these management team members report to the Audit Committee of our board of directors and executive management about cybersecurity threat risks, among other cybersecurity related matters, on a quarterly basis.
|Cybersecurity Risk Process for Informing Management or Committees Responsible [Text Block]
|Such individuals have collectively over 16 years of prior work experience in various roles involving managing information security, developing cybersecurity strategies, implementing effective information and cybersecurity programs. These team members are informed about and monitor the prevention, mitigation, detection, and remediation of cybersecurity incidents through their management of, and participation in, the cybersecurity risk management and strategy processes described above, including the operation of our incident response plan.
|Cybersecurity Risk Management Positions or Committees Responsible Report to Board [Flag]
|true
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef