|
Cybersecurity Risk Management, Strategy, and Governance
|12 Months Ended
Dec. 31, 2024
|Cybersecurity Risk Management, Strategy, and Governance [Line Items]
|Cybersecurity Risk Management Processes for Assessing, Identifying, and Managing Threats [Text Block]
|
Item 1C. Cybersecurity.
Risk management and strategy.
We and our third-party service providers, such as CROs, collect, process, transmit, and store sensitive data on our networks and systems, including intellectual property, proprietary or confidential business information, and a variety of personal data.
We have adopted processes designed to identify, assess and manage material risks from cybersecurity threats. Those processes include response to and an assessment of internal and external threats to the security, confidentiality, integrity and availability of our data and information systems, along with other material risks to our operations.
Our risk management team collaborates with our Chief Information Security Officer ("CISO") and our Head of Legal to evaluate and address cybersecurity risks in alignment with our business objectives and operational needs. We have processes to detect potential vulnerabilities and anomalies through technical safeguards and have adopted policies and procedures around internal and external notification of cybersecurity incidents.
Our CISO and Cybersecurity Manager implement processes around security monitoring and vulnerability testing. We also have in place an incident response plan, which incorporates four overarching and interconnected stages: (1) preparation for a cybersecurity incident, (2) detection and analysis of a security incident, (3) containment, eradication and recovery, and (4) post-incident analysis. The plan specifies that security events and data incidents should be evaluated, ranked by severity and prioritized for response and remediation. Our procedures include an evaluation of incidents to determine materiality as well as operational, business and privacy impact. Our team of cybersecurity and information security professionals then collaborate with technical and business stakeholders across our business units to further analyze the risk to the Company, and form detection, mitigation and remediation strategies. In addition to implementing technical security measures, we have maintained an ongoing cybersecurity awareness and training program.
As part of our risk management process, we engage external auditors and consultants to assess our internal cybersecurity programs and compliance with applicable practices and standards. In addition, we engage outside providers to conduct annual penetration testing.
We rely on third parties, including cloud vendors, for various business functions. We select key third-party service providers based on several factors, including the type of data processed and the nature of services offered, and we oversee such key third-party service providers by conducting vendor diligence upon onboarding and ongoing monitoring, including security evaluation.
Governance.
Our board of directors has established oversight mechanisms to manage risks from cybersecurity threats. The audit committee of our board of directors (the Audit Committee"), has primary responsibility for oversight of cybersecurity and is briefed on cybersecurity risks at least once a year and following any material cybersecurity incidents. Our board of directors receives periodic updates from our Audit Committee regarding matters of cybersecurity. Our board members also engage in ad hoc conversations with management on cybersecurity-related news events and discuss any significant updates to our cybersecurity risk management and initiatives.
Our cybersecurity program is overseen by our Head of Information Technology ("IT"), and is managed by our CISO and other leaders from our IT and legal departments. Our Head of IT, CISO and Cybersecurity Manager have an average of over 20 years of prior work experience in various roles involving IT, including security, auditing, compliance, systems and programming. These individuals are informed about, and monitor the prevention, mitigation, detection and remediation of cybersecurity incidents through their management of, and participation in, the cybersecurity risk management and strategy processes described above, including the operation of our incident response plan, and report to senior management and the Audit Committee on any appropriate items.
Our senior management reports at least annually to the Audit Committee and such reporting includes an overall assessment of the Company’s compliance with our cybersecurity policies and procedures as well as topics including existing and new cybersecurity risks, status on how management is addressing and/or mitigating those risks, cybersecurity and data privacy incidents (if any) and status on key information security initiatives.
A cybersecurity incident may materially affect our business, results of operations or financial condition, including where such an incident results in reputational, competitive, or business harm, loss of intellectual property rights, significant costs, or the Company being subject to government investigations, litigation, fines, or damages. As of the date of this Annual Report on Form 10-K, we have not experienced a cybersecurity incident that resulted in a material effect on our business strategy, results of operations, or financial condition. For more information, see “Risk factors - Risks related to our business operations, employee matters, taxes, litigation, and managing growth - Information system failures or unauthorized or inappropriate use of or access to our information systems risk disclosure of confidential or proprietary information, including personal data, and could damage our reputation, and subject us to significant financial and legal exposure.”
|Cybersecurity Risk Management Third Party Engaged [Flag]
|true
|Cybersecurity Risk Third Party Oversight and Identification Processes [Flag]
|true
|Cybersecurity Risk Materially Affected or Reasonably Likely to Materially Affect Registrant [Flag]
|false
|Cybersecurity Risk Board of Directors Oversight [Text Block]
|
Our board of directors has established oversight mechanisms to manage risks from cybersecurity threats. The audit committee of our board of directors (the Audit Committee"), has primary responsibility for oversight of cybersecurity and is briefed on cybersecurity risks at least once a year and following any material cybersecurity incidents. Our board of directors receives periodic updates from our Audit Committee regarding matters of cybersecurity. Our board members also engage in ad hoc conversations with management on cybersecurity-related news events and discuss any significant updates to our cybersecurity risk management and initiatives.
Our cybersecurity program is overseen by our Head of Information Technology ("IT"), and is managed by our CISO and other leaders from our IT and legal departments. Our Head of IT, CISO and Cybersecurity Manager have an average of over 20 years of prior work experience in various roles involving IT, including security, auditing, compliance, systems and programming. These individuals are informed about, and monitor the prevention, mitigation, detection and remediation of cybersecurity incidents through their management of, and participation in, the cybersecurity risk management and strategy processes described above, including the operation of our incident response plan, and report to senior management and the Audit Committee on any appropriate items.
Our senior management reports at least annually to the Audit Committee and such reporting includes an overall assessment of the Company’s compliance with our cybersecurity policies and procedures as well as topics including existing and new cybersecurity risks, status on how management is addressing and/or mitigating those risks, cybersecurity and data privacy incidents (if any) and status on key information security initiatives.
A cybersecurity incident may materially affect our business, results of operations or financial condition, including where such an incident results in reputational, competitive, or business harm, loss of intellectual property rights, significant costs, or the Company being subject to government investigations, litigation, fines, or damages. As of the date of this Annual Report on Form 10-K, we have not experienced a cybersecurity incident that resulted in a material effect on our business strategy, results of operations, or financial condition. For more information, see “Risk factors - Risks related to our business operations, employee matters, taxes, litigation, and managing growth - Information system failures or unauthorized or inappropriate use of or access to our information systems risk disclosure of confidential or proprietary information, including personal data, and could damage our reputation, and subject us to significant financial and legal exposure.”
|Cybersecurity Risk Board Committee or Subcommittee Responsible for Oversight [Text Block]
|Our board of directors has established oversight mechanisms to manage risks from cybersecurity threats. The audit committee of our board of directors (the Audit Committee"), has primary responsibility for oversight of cybersecurity and is briefed on cybersecurity risks at least once a year and following any material cybersecurity incidents. Our board of directors receives periodic updates from our Audit Committee regarding matters of cybersecurity. Our board members also engage in ad hoc conversations with management on cybersecurity-related news events and discuss any significant updates to our cybersecurity risk management and initiatives.
|Cybersecurity Risk Process for Informing Board Committee or Subcommittee Responsible for Oversight [Text Block]
|Our CISO and Cybersecurity Manager implement processes around security monitoring and vulnerability testing. We also have in place an incident response plan, which incorporates four overarching and interconnected stages: (1) preparation for a cybersecurity incident, (2) detection and analysis of a security incident, (3) containment, eradication and recovery, and (4) post-incident analysis.
|Cybersecurity Risk Role of Management [Text Block]
|We have adopted processes designed to identify, assess and manage material risks from cybersecurity threats. Those processes include response to and an assessment of internal and external threats to the security, confidentiality, integrity and availability of our data and information systems, along with other material risks to our operations.
|Cybersecurity Risk Management Positions or Committees Responsible [Flag]
|true
|Cybersecurity Risk Management Positions or Committees Responsible [Text Block]
|Our CISO and Cybersecurity Manager implement processes around security monitoring and vulnerability testing. We also have in place an incident response plan, which incorporates four overarching and interconnected stages: (1) preparation for a cybersecurity incident, (2) detection and analysis of a security incident, (3) containment, eradication and recovery, and (4) post-incident analysis. The plan specifies that security events and data incidents should be evaluated, ranked by severity and prioritized for response and remediation. Our procedures include an evaluation of incidents to determine materiality as well as operational, business and privacy impact. Our team of cybersecurity and information security professionals then collaborate with technical and business stakeholders across our business units to further analyze the risk to the Company, and form detection, mitigation and remediation strategies. In addition to implementing technical security measures, we have maintained an ongoing cybersecurity awareness and training program.
|Cybersecurity Risk Management Expertise of Management Responsible [Text Block]
|Our Head of IT, CISO and Cybersecurity Manager have an average of over 20 years of prior work experience in various roles involving IT, including security, auditing, compliance, systems and programming.
|Cybersecurity Risk Process for Informing Management or Committees Responsible [Text Block]
|Our cybersecurity program is overseen by our Head of Information Technology ("IT"), and is managed by our CISO and other leaders from our IT and legal departments. Our Head of IT, CISO and Cybersecurity Manager have an average of over 20 years of prior work experience in various roles involving IT, including security, auditing, compliance, systems and programming. These individuals are informed about, and monitor the prevention, mitigation, detection and remediation of cybersecurity incidents through their management of, and participation in, the cybersecurity risk management and strategy processes described above, including the operation of our incident response plan, and report to senior management and the Audit Committee on any appropriate items.
|Cybersecurity Risk Management Positions or Committees Responsible Report to Board [Flag]
|true
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef