|
Cybersecurity
|12 Months Ended
Dec. 31, 2024
|Cybersecurity Risk Management, Strategy, and Governance [Line Items]
|Cybersecurity Risk Management Processes for Assessing, Identifying, and Managing Threats [Text Block]
|
Item 1C. Cybersecurity.
Cybersecurity Risk Management and Strategy
We have developed and implemented a cybersecurity risk management program intended to protect the confidentiality, integrity and availability of our critical systems and information. Our cybersecurity risk management program includes a cybersecurity incident response plan. Our cybersecurity risk management program is a key component of our overall risk management process, and includes similar characteristics, reporting channels and governance processes to those that apply across other legal, compliance, strategic, operational and financial risk areas within the Company.
We design and assess our program based on the National Institute of Standards and Technology Cybersecurity Framework (NIST CSF). This does not imply that we meet any particular technical standards, specifications, or requirements, only that we use the NIST CSF as a guide to help us identify, assess, and manage cybersecurity risks relevant to our business.
Our cybersecurity risk management program includes:
•
risk assessments designed to help identify material cybersecurity risks to our critical systems, information, products, services, and our broader enterprise IT environment;
•
a security team principally responsible for managing (1) our cybersecurity risk assessment processes, (2) our security controls, and (3) our response to cybersecurity incidents;
•
the use of external service providers, where appropriate, to assess, test or otherwise assist with aspects of our security controls;
•
cybersecurity awareness training of our employees, incident response personnel and senior management;
•
a cybersecurity incident response plan that includes procedures for responding to cybersecurity incidents; and
•
a third-party risk management process for service providers, suppliers and vendors.
We have not identified risks from known cybersecurity threats, including as a result of any prior cybersecurity incidents, that have materially affected or are reasonably likely to materially affect us, including our operations, business strategy, results of operations or financial condition.
Cybersecurity Governance
Our board of directors considers cybersecurity risk as part of its risk oversight function and has delegated to its audit committee oversight of cybersecurity and other information technology risks. The audit committee oversees management’s implementation of our cybersecurity risk management program.
The audit committee receives reports from management on our cybersecurity risks at least annually. In addition, management updates the audit committee regarding all material cybersecurity incidents, as well as any incidents with lesser impact potential that management, in its discretion, determines may be relevant for audit committee review. The audit committee reports to the board of directors regarding its activities, including those related to cybersecurity.
Our management team, including specifically our Chief Financial Officer, working closely with our Vice President of Information Technologies and our Director of Cybersecurity and Compliance (our Cybersecurity Oversight Team), is responsible for assessing and managing our material risks from cybersecurity threats. Our Cybersecurity Oversight Team has primary responsibility for our overall cybersecurity risk management program and supervises both our internal cybersecurity personnel and our retained external cybersecurity consultants. Our Cybersecurity Oversight Team’s experience includes a combined 50+ years in the pharmaceutical industry and information technology. This includes software and systems development, cybersecurity program oversight and overall IT management. The team has over two decades of experience dedicated to supporting enterprise architecture and a decade of experience specializing in cybersecurity, implementing cybersecurity frameworks, assessing and managing cybersecurity risks and executing incident response plans.
Our Cybersecurity Oversight Team supervises efforts to prevent, detect, mitigate and remediate cybersecurity risks and incidents through various means, which include briefings from internal security personnel; threat intelligence and other information obtained from governmental, public or private sources, including external consultants engaged by us; and alerts and reports produced by security tools deployed in the IT environment.
Pursuant to our Incident Response Plan (IRP), all of our employees are trained to report a suspected cybersecurity incident or breach to our information technology team. Reporting guidelines under the IRP describe how to report an incident and what details to include. As a first step under the IRP, our information technology team assesses the reported risk or breach and escalates it to our Incident Response Team (IRT), as appropriate. The IRT is comprised of the members of our Cybersecurity Oversight Team and other critical business function leaders, including members of our legal and communications teams. Following notification from our information technology team, the IRT is responsible for continuing to assess the suspected risk or breach to determine its potential impact on our organization, systems and data. Based on that assessment, the IRT may raise the incident or breach to other members of management or the audit committee for further review and triage.
|Cybersecurity Risk Management Third Party Engaged [Flag]
|true
|Cybersecurity Risk Third Party Oversight and Identification Processes [Flag]
|true
|Cybersecurity Risk Materially Affected or Reasonably Likely to Materially Affect Registrant [Flag]
|false
|Cybersecurity Risk Board of Directors Oversight [Text Block]
|
Our board of directors considers cybersecurity risk as part of its risk oversight function and has delegated to its audit committee oversight of cybersecurity and other information technology risks. The audit committee oversees management’s implementation of our cybersecurity risk management program.
The audit committee receives reports from management on our cybersecurity risks at least annually. In addition, management updates the audit committee regarding all material cybersecurity incidents, as well as any incidents with lesser impact potential that management, in its discretion, determines may be relevant for audit committee review. The audit committee reports to the board of directors regarding its activities, including those related to cybersecurity.
Our management team, including specifically our Chief Financial Officer, working closely with our Vice President of Information Technologies and our Director of Cybersecurity and Compliance (our Cybersecurity Oversight Team), is responsible for assessing and managing our material risks from cybersecurity threats. Our Cybersecurity Oversight Team has primary responsibility for our overall cybersecurity risk management program and supervises both our internal cybersecurity personnel and our retained external cybersecurity consultants. Our Cybersecurity Oversight Team’s experience includes a combined 50+ years in the pharmaceutical industry and information technology. This includes software and systems development, cybersecurity program oversight and overall IT management. The team has over two decades of experience dedicated to supporting enterprise architecture and a decade of experience specializing in cybersecurity, implementing cybersecurity frameworks, assessing and managing cybersecurity risks and executing incident response plans.
Our Cybersecurity Oversight Team supervises efforts to prevent, detect, mitigate and remediate cybersecurity risks and incidents through various means, which include briefings from internal security personnel; threat intelligence and other information obtained from governmental, public or private sources, including external consultants engaged by us; and alerts and reports produced by security tools deployed in the IT environment.
Pursuant to our Incident Response Plan (IRP), all of our employees are trained to report a suspected cybersecurity incident or breach to our information technology team. Reporting guidelines under the IRP describe how to report an incident and what details to include. As a first step under the IRP, our information technology team assesses the reported risk or breach and escalates it to our Incident Response Team (IRT), as appropriate. The IRT is comprised of the members of our Cybersecurity Oversight Team and other critical business function leaders, including members of our legal and communications teams. Following notification from our information technology team, the IRT is responsible for continuing to assess the suspected risk or breach to determine its potential impact on our organization, systems and data. Based on that assessment, the IRT may raise the incident or breach to other members of management or the audit committee for further review and triage.
|Cybersecurity Risk Board Committee or Subcommittee Responsible for Oversight [Text Block]
|Our board of directors considers cybersecurity risk as part of its risk oversight function and has delegated to its audit committee oversight of cybersecurity and other information technology risks. The audit committee oversees management’s implementation of our cybersecurity risk management program
|Cybersecurity Risk Process for Informing Board Committee or Subcommittee Responsible for Oversight [Text Block]
|Our management team, including specifically our Chief Financial Officer, working closely with our Vice President of Information Technologies and our Director of Cybersecurity and Compliance (our Cybersecurity Oversight Team), is responsible for assessing and managing our material risks from cybersecurity threats
|Cybersecurity Risk Role of Management [Text Block]
|
Our cybersecurity risk management program includes:
•
risk assessments designed to help identify material cybersecurity risks to our critical systems, information, products, services, and our broader enterprise IT environment;
•
a security team principally responsible for managing (1) our cybersecurity risk assessment processes, (2) our security controls, and (3) our response to cybersecurity incidents;
•
the use of external service providers, where appropriate, to assess, test or otherwise assist with aspects of our security controls;
•
cybersecurity awareness training of our employees, incident response personnel and senior management;
•
a cybersecurity incident response plan that includes procedures for responding to cybersecurity incidents; and
•
a third-party risk management process for service providers, suppliers and vendors.
|Cybersecurity Risk Management Positions or Committees Responsible [Flag]
|true
|Cybersecurity Risk Management Positions or Committees Responsible [Text Block]
|Our management team, including specifically our Chief Financial Officer, working closely with our Vice President of Information Technologies and our Director of Cybersecurity and Compliance (our Cybersecurity Oversight Team), is responsible for assessing and managing our material risks from cybersecurity threats.
|Cybersecurity Risk Management Expertise of Management Responsible [Text Block]
|Our Cybersecurity Oversight Team’s experience includes a combined 50+ years in the pharmaceutical industry and information technology. This includes software and systems development, cybersecurity program oversight and overall IT management. The team has over two decades of experience dedicated to supporting enterprise architecture and a decade of experience specializing in cybersecurity, implementing cybersecurity frameworks, assessing and managing cybersecurity risks and executing incident response plans.
|Cybersecurity Risk Process for Informing Management or Committees Responsible [Text Block]
|
The audit committee receives reports from management on our cybersecurity risks at least annually. In addition, management updates the audit committee regarding all material cybersecurity incidents, as well as any incidents with lesser impact potential that management, in its discretion, determines may be relevant for audit committee review. The audit committee reports to the board of directors regarding its activities, including those related to cybersecurity.
|Cybersecurity Risk Management Positions or Committees Responsible Report to Board [Flag]
|true
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef