|
Cybersecurity Risk Management, Strategy and Governance
|12 Months Ended
Dec. 31, 2024
|Cybersecurity Risk Management, Strategy, and Governance [Line Items]
|Cybersecurity Risk Management Processes for Assessing, Identifying, and Managing Threats [Text Block]
|
Item 1C. Cybersecurity.
Risk Management and Strategy
We have established policies and processes for assessing, identifying, and managing material risk from cybersecurity threats, and have integrated these processes into our overall risk management systems and processes. In collaboration with our external vendors specializing in cybersecurity management, we routinely assess material risks from cybersecurity threats, including any potential unauthorized access to our information systems that could result in adverse effects on the confidentiality, integrity, or availability of our information systems or any information residing therein.
We conduct periodic risk assessments to identify cybersecurity threats, as well as assessments of planned material changes in our business practices that may affect information systems that are vulnerable to such cybersecurity threats. These risk assessments include identification of reasonably foreseeable internal and external risks, the likelihood and potential damage that could result from such risks, and the sufficiency of existing policies, procedures, systems, and safeguards in place to manage such risks.
Following these risk assessments, we consider whether and how to re-design, implement, and maintain reasonable safeguards to minimize identified risks; reasonably address any identified gaps in existing safeguards; and regularly monitor the effectiveness of our safeguards. In consideration of the size and complexity of our business, we devote significant internal and external resources to manage material risks from cybersecurity threats. We also designate specific personnel, including our Senior Director, Information Technology, to manage the risk assessment and mitigation process and to closely coordinate with our General Counsel on applicable regulatory obligations.
As part of our overall risk management system, we monitor and test our safeguards and train our employees on these safeguards. Personnel at all levels and departments are made aware of our cybersecurity policies through required policy review and trainings at the time of hire and periodically during their employment with us.
We engage consultants, auditors, or other third parties in connection with our risk assessment processes. These professionals assist us in the design and implementation of our cybersecurity policies and procedures, as well as to monitor and test our safeguards. In addition, in order to mitigate cybersecurity risks associated with our use of third-party service providers, we require certain third-party service providers to certify that they have the ability to implement and maintain appropriate security measures, consistent with all applicable laws, to implement and maintain reasonable security measures in connection with their work with us, and to promptly report any suspected breach of its security measures that may affect our company.
For additional information regarding whether any risks from cybersecurity threats, including as a result of any previous cybersecurity incidents, have materially affected or are reasonably likely to materially affect our company, including our business strategy, results of operations, or financial condition, please refer to Item 1A, “Risk Factors,” in this annual report on Form 10-K, including the risk factors entitled “Our computer systems, or those of any of our CROs, manufacturers, contractors, consultants or other third parties or potential future collaborators, may fail or suffer security incidents or data privacy breaches or other unauthorized or improper access to, use of, or
destruction of our proprietary or confidential data, employee data, or personal data, which could result in additional costs, loss of revenue, significant liabilities, harm to our brand and material disruption of our operations.”
Governance
One of the key functions of our board of directors (our “Board”) is informed oversight of our risk management process, including risks from cybersecurity threats. Our Board is responsible for monitoring and assessing strategic risk exposure, and our executive officers are responsible for the day-to-day management of the material risks we face. Our Board administers its cybersecurity risk oversight function directly as a whole, as well as through the Audit Committee.
Our Senior Director, Information Technology, along with the members of our Incident Response Team, which includes our Senior Vice President, Finance and our General Counsel, are primarily responsible to assess and manage our material risks from cybersecurity threats. Our Incident Response Team is supported by an experienced managed service provider and an incident response provider with extensive global cybersecurity expertise, who each monitor, assess and report threats to us. Additionally, our Senior Director, Information Technology has over twenty years of experience operating in the information technology, security and cybersecurity space. In particular, he has experience with cybersecurity assessment and prevention, incident responses, breach notifications and remediation.
Our Senior Director, Information Technology oversees our cybersecurity policies and processes, including those described in “Risk Management and Strategy” above and, along with and informed by the Information Technology organization and our Incident Response Team, monitors the prevention, detection, mitigation, and remediation of cybersecurity incidents. Depending on the severity of the security incident, the Incident Response Team will report the security incident to our Audit Committee, including the financial impact of the security incident and any regulatory violations. As our Information Technology organization monitors the security and effectiveness of our policies and procedures, they also work to keep the Senior Director, Information Technology and other members of leadership informed of critical incidents, process updates, or other material details, in accordance with our internal reporting structure.
Our Audit Committee receives an annual briefing regarding our company’s cybersecurity risks and activities, including the status of cybersecurity system development, company-wide cybersecurity training programs, material changes to the cybersecurity system, policies or practices, any recent cybersecurity incidents and related responses, cybersecurity systems testing and engagement of third-party service providers in support of our cybersecurity system. Special meetings may also be called with the Audit Committee to brief the members on any material cybersecurity incidents and related responses thereto. After such briefings, our Audit Committee will provide an update to the Board on such reports. In addition, the Board will receive periodic updates in meeting materials or directly from our Senior Vice President, Finance on cybersecurity risks and activities.
|Cybersecurity Risk Management Processes Integrated [Flag]
|true
|Cybersecurity Risk Management Processes Integrated [Text Block]
|We have established policies and processes for assessing, identifying, and managing material risk from cybersecurity threats, and have integrated these processes into our overall risk management systems and processes.
|Cybersecurity Risk Management Third Party Engaged [Flag]
|true
|Cybersecurity Risk Third Party Oversight and Identification Processes [Flag]
|true
|Cybersecurity Risk Materially Affected or Reasonably Likely to Materially Affect Registrant [Flag]
|true
|Cybersecurity Risk Materially Affected or Reasonably Likely to Materially Affect Registrant [Text Block]
|For additional information regarding whether any risks from cybersecurity threats, including as a result of any previous cybersecurity incidents, have materially affected or are reasonably likely to materially affect our company, including our business strategy, results of operations, or financial condition, please refer to Item 1A, “Risk Factors,” in this annual report on Form 10-K,
|Cybersecurity Risk Board of Directors Oversight [Text Block]
|
One of the key functions of our board of directors (our “Board”) is informed oversight of our risk management process, including risks from cybersecurity threats. Our Board is responsible for monitoring and assessing strategic risk exposure, and our executive officers are responsible for the day-to-day management of the material risks we face. Our Board administers its cybersecurity risk oversight function directly as a whole, as well as through the Audit Committee.
|Cybersecurity Risk Board Committee or Subcommittee Responsible for Oversight [Text Block]
|Our Board administers its cybersecurity risk oversight function directly as a whole, as well as through the Audit Committee.
|Cybersecurity Risk Process for Informing Board Committee or Subcommittee Responsible for Oversight [Text Block]
|Our Audit Committee receives an annual briefing regarding our company’s cybersecurity risks and activities, including the status of cybersecurity system development, company-wide cybersecurity training programs, material changes to the cybersecurity system, policies or practices, any recent cybersecurity incidents and related responses, cybersecurity systems testing and engagement of third-party service providers in support of our cybersecurity system. Special meetings may also be called with the Audit Committee to brief the members on any material cybersecurity incidents and related responses thereto. After such briefings, our Audit Committee will provide an update to the Board on such reports.
|Cybersecurity Risk Role of Management [Text Block]
|Our Senior Director, Information Technology, along with the members of our Incident Response Team, which includes our Senior Vice President, Finance and our General Counsel, are primarily responsible to assess and manage our material risks from cybersecurity threats. Our Incident Response Team is supported by an experienced managed service provider and an incident response provider with extensive global cybersecurity expertise, who each monitor, assess and report threats to us. Additionally, our Senior Director, Information Technology has over twenty years of experience operating in the information technology, security and cybersecurity space. In particular, he has experience with cybersecurity assessment and prevention, incident responses, breach notifications and remediation.
|Cybersecurity Risk Management Positions or Committees Responsible [Flag]
|true
|Cybersecurity Risk Management Positions or Committees Responsible [Text Block]
|Our Senior Director, Information Technology, along with the members of our Incident Response Team, which includes our Senior Vice President, Finance and our General Counsel, are primarily responsible to assess and manage our material risks from cybersecurity threats. Our Incident Response Team is supported by an experienced managed service provider and an incident response provider with extensive global cybersecurity expertise, who each monitor, assess and report threats to us.
|Cybersecurity Risk Management Expertise of Management Responsible [Text Block]
|our Senior Director, Information Technology has over twenty years of experience operating in the information technology, security and cybersecurity space. In particular, he has experience with cybersecurity assessment and prevention, incident responses, breach notifications and remediation.
|Cybersecurity Risk Process for Informing Management or Committees Responsible [Text Block]
|Depending on the severity of the security incident, the Incident Response Team will report the security incident to our Audit Committee, including the financial impact of the security incident and any regulatory violations. As our Information Technology organization monitors the security and effectiveness of our policies and procedures, they also work to keep the Senior Director, Information Technology and other members of leadership informed of critical incidents, process updates, or other material details, in accordance with our internal reporting structure.
|Cybersecurity Risk Management Positions or Committees Responsible Report to Board [Flag]
|true
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef