|
Cybersecurity Risk Management, Strategy and Governance
|12 Months Ended
Dec. 31, 2024
|Cybersecurity Risk Management, Strategy, and Governance [Line Items]
|Cybersecurity Risk Management Processes for Assessing, Identifying, and Managing Threats [Text Block]
|
Item 1C. Cybersecurity.
We understand the importance of preventing, identifying, assessing and managing material risks associated with cybersecurity threats. Cybersecurity processes to identify, assess and manage risks from cybersecurity threats have been incorporated as a part of our overall risk assessment process and are designed to help protect our information assets and operations from internal and external cyber threats and protect employee and patient information from unauthorized access or attack, as well as secure our network and systems. We have implemented into our operations these cybersecurity processes, technologies and controls to identify, assess and manage material risks. Specifically, we engage a third-party cybersecurity firm to assist with network and endpoint monitoring, cloud system monitoring and assessment of our incident response procedures. Further, we employ periodic internal and external
penetration testing by an independent cybersecurity firm to inform our risk identification and assessment of critical, high, medium and minor material cybersecurity threats.
To manage our material risks from cybersecurity threats and to protect against, detect, and prepare to respond to cybersecurity incidents, we undertake the below listed activities:
•
Monitor evolving cybersecurity standards and emerging data protection laws and implement changes to our processes to comply;
•
Conduct annual policy re-certifications for all employees regarding data protection, data breach reporting requirements and data classification;
•
Employ multifactor authentication on internal and external systems;
•
Conduct regular phishing email simulations for all employees; and
•
Carry cybersecurity risk insurance that provides protection against the potential losses arising from a cybersecurity incident.
Our incident response plan coordinates the activities that we and our third-party cybersecurity providers take to prepare to respond and recover from cybersecurity incidents, which include processes to triage, assess severity, investigate, escalate, contain, and remediate an incident, as well as to comply with potentially applicable legal obligations and mitigate brand and reputational damage.
As part of the above processes, we engage with subject matter expert consultants to review our cybersecurity program to help identify areas for continued focus, improvement, and compliance.
Our processes also include assessing cybersecurity threat risks associated with our use of third-party services providers in normal course of business use, including those in our supply chain or who have access to patient and employee data or our systems. Third-party risks are included within our risk management process discussed above. In addition, we assess cybersecurity considerations in the selection and oversight of our third-party services providers, including due diligence on the third parties that have access to our systems and facilities that house systems and data.
Based on an assessment using the previously described risk management processes, we do not believe that there are currently any known risks from cybersecurity threats, including as a result of any prior cybersecurity incidents, that have materially affected or are reasonably likely to materially affect us, including our business strategy, results of operations or financial condition. However, cybersecurity threats may affect our business. See “Our internal information technology systems, or those of our vendors, collaborators or other contractors or consultants, may fail or suffer security breaches, loss or leakage of data and other disruptions or compromise, which could result in a material disruption of our product development programs, compromise sensitive information related to our business or prevent us from accessing critical information, trigger contractual and legal obligations, potentially exposing us to liability, reputational harm or otherwise adversely affecting our business and financial results.” in "Item 1A. Risk Factors" of this Annual Report on Form 10-K.
The Audit Committee of the Board of Directors is responsible for oversight of our cybersecurity risk assessment, risk management, incident response procedures and cybersecurity risks and provides updates to the Board of Directors regarding such oversight. Periodically during each year, the Audit Committee receives an overview from our Vice President, Head of Technology of our cybersecurity threat risk management and strategy processes, including potential impact on us, the efforts of management to manage the risks that are identified and our incident response preparations. Members of the Board of Directors regularly engage in discussions with management on cybersecurity-related news events and discuss any updates to our cybersecurity risk assessment, risk management and strategy programs.
Our cybersecurity risk assessment, management and strategy processes are led by our Vice President, Head of Technology. Our Vice President, Head of Technology has over 20 years of experience in various roles involving managing information security, managing privacy and data protection, developing
cybersecurity strategy, and implementing cybersecurity programs. The Vice President, Head of Technology, a Certified Information Security Manager (CISM) with up-to-date credentials, is informed about and monitors the prevention, mitigation, detection and remediation of cybersecurity incidents through management of the cybersecurity risk management and strategy processes described above, including our incident response plan.
In an effort to deter and detect cyber threats, we periodically provide all employees with data protection and cybersecurity awareness training, which covers a range of timely and relevant topics. Past topics have included social engineering, phishing, password protection, confidential data protection, and asset use. The training functions to educate employees on the importance of reporting all security and privacy incidents immediately. We send out bi-weekly simulated phishing tests to all employees for ongoing awareness to relevant phishing campaigns. We also use technology-based tools to mitigate cybersecurity risks and to bolster its employee-based cybersecurity programs.
|Cybersecurity Risk Management Processes Integrated [Flag]
|true
|Cybersecurity Risk Management Processes Integrated [Text Block]
|Cybersecurity processes to identify, assess and manage risks from cybersecurity threats have been incorporated as a part of our overall risk assessment process and are designed to help protect our information assets and operations from internal and external cyber threats and protect employee and patient information from unauthorized access or attack, as well as secure our network and systems. We have implemented into our operations these cybersecurity processes, technologies and controls to identify, assess and manage material risks. Specifically, we engage a third-party cybersecurity firm to assist with network and endpoint monitoring, cloud system monitoring and assessment of our incident response procedures.
|Cybersecurity Risk Management Third Party Engaged [Flag]
|true
|Cybersecurity Risk Third Party Oversight and Identification Processes [Flag]
|true
|Cybersecurity Risk Materially Affected or Reasonably Likely to Materially Affect Registrant [Flag]
|false
|Cybersecurity Risk Board of Directors Oversight [Text Block]
|
The Audit Committee of the Board of Directors is responsible for oversight of our cybersecurity risk assessment, risk management, incident response procedures and cybersecurity risks and provides updates to the Board of Directors regarding such oversight. Periodically during each year, the Audit Committee receives an overview from our Vice President, Head of Technology of our cybersecurity threat risk management and strategy processes, including potential impact on us, the efforts of management to manage the risks that are identified and our incident response preparations. Members of the Board of Directors regularly engage in discussions with management on cybersecurity-related news events and discuss any updates to our cybersecurity risk assessment, risk management and strategy programs.
Our cybersecurity risk assessment, management and strategy processes are led by our Vice President, Head of Technology. Our Vice President, Head of Technology has over 20 years of experience in various roles involving managing information security, managing privacy and data protection, developing
cybersecurity strategy, and implementing cybersecurity programs. The Vice President, Head of Technology, a Certified Information Security Manager (CISM) with up-to-date credentials, is informed about and monitors the prevention, mitigation, detection and remediation of cybersecurity incidents through management of the cybersecurity risk management and strategy processes described above, including our incident response plan.
In an effort to deter and detect cyber threats, we periodically provide all employees with data protection and cybersecurity awareness training, which covers a range of timely and relevant topics. Past topics have included social engineering, phishing, password protection, confidential data protection, and asset use. The training functions to educate employees on the importance of reporting all security and privacy incidents immediately. We send out bi-weekly simulated phishing tests to all employees for ongoing awareness to relevant phishing campaigns. We also use technology-based tools to mitigate cybersecurity risks and to bolster its employee-based cybersecurity programs.
|Cybersecurity Risk Board Committee or Subcommittee Responsible for Oversight [Text Block]
|The Audit Committee of the Board of Directors is responsible for oversight of our cybersecurity risk assessment, risk management, incident response procedures and cybersecurity risks and provides updates to the Board of Directors regarding such oversight.
|Cybersecurity Risk Process for Informing Board Committee or Subcommittee Responsible for Oversight [Text Block]
|Periodically during each year, the Audit Committee receives an overview from our Vice President, Head of Technology of our cybersecurity threat risk management and strategy processes, including potential impact on us, the efforts of management to manage the risks that are identified and our incident response preparations.
|Cybersecurity Risk Role of Management [Text Block]
|
Our cybersecurity risk assessment, management and strategy processes are led by our Vice President, Head of Technology. Our Vice President, Head of Technology has over 20 years of experience in various roles involving managing information security, managing privacy and data protection, developing
cybersecurity strategy, and implementing cybersecurity programs. The Vice President, Head of Technology, a Certified Information Security Manager (CISM) with up-to-date credentials, is informed about and monitors the prevention, mitigation, detection and remediation of cybersecurity incidents through management of the cybersecurity risk management and strategy processes described above, including our incident response plan.
In an effort to deter and detect cyber threats, we periodically provide all employees with data protection and cybersecurity awareness training, which covers a range of timely and relevant topics. Past topics have included social engineering, phishing, password protection, confidential data protection, and asset use. The training functions to educate employees on the importance of reporting all security and privacy incidents immediately. We send out bi-weekly simulated phishing tests to all employees for ongoing awareness to relevant phishing campaigns. We also use technology-based tools to mitigate cybersecurity risks and to bolster its employee-based cybersecurity programs.
|Cybersecurity Risk Management Positions or Committees Responsible [Flag]
|true
|Cybersecurity Risk Management Positions or Committees Responsible [Text Block]
|The Vice President, Head of Technology, a Certified Information Security Manager (CISM) with up-to-date credentials, is informed about and monitors the prevention, mitigation, detection and remediation of cybersecurity incidents through management of the cybersecurity risk management and strategy processes described above, including our incident response plan.
|Cybersecurity Risk Management Expertise of Management Responsible [Text Block]
|Our Vice President, Head of Technology has over 20 years of experience in various roles involving managing information security, managing privacy and data protection, developing cybersecurity strategy, and implementing cybersecurity programs.
|Cybersecurity Risk Process for Informing Management or Committees Responsible [Text Block]
|monitors the prevention, mitigation, detection and remediation of cybersecurity incidents through management of the cybersecurity risk management and strategy processes described above, including our incident response plan.
|Cybersecurity Risk Management Positions or Committees Responsible Report to Board [Flag]
|true
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef