|
Cybersecurity
|12 Months Ended
Dec. 31, 2024
|Cybersecurity Risk Management, Strategy, and Governance [Abstract]
|Cybersecurity Risk Management Processes for Assessing, Identifying, and Managing Threats [Text Block]
|
ITEM 1C – CYBERSECURITY
We are increasingly dependent on sophisticated software applications, computing, and cloud infrastructure to conduct key operations. We depend on both our own systems, networks, and technology as well as the systems, networks and technology of our contractors, consultants, vendors and other business partners.
Cybersecurity Program
Given the importance of cybersecurity to our business, we maintain a cybersecurity program to support both the effectiveness of our systems and our preparedness for information security risks. This program includes a number of administrative, physical and technical safeguards, including contracted 24/7/365 Security Operating Center monitoring services and alerting systems for internal and external threats; regular evaluations of our cybersecurity program, including periodic internal and external audits; and industry benchmarking. We also require cybersecurity trainings when onboarding new employees and conduct ongoing cybersecurity awareness testing for our employees. Our program leverages industry frameworks, including the National Institute of Standards and Technology Cybersecurity Framework (NIST CSF) to strengthen our program effectiveness and reduce cybersecurity risks.
We use a risk-based approach with respect to our use and oversight of third-party service providers. We use various means to assess cyber risks related to our third-party service providers, including conducting due diligence in connection with onboarding new vendors and ongoing due diligence with key third-party vendors. We also seek to collect and assess cybersecurity audit reports and other supporting documentation when available where applicable as part of our oversight of third-party providers.
Process for Assessing, Identifying and Managing Material Risks from Cybersecurity Threats
We maintain a cybersecurity incident response program, which includes a set of protocols and procedures that we would follow in the event of a cybersecurity incident. Pursuant to the program and its escalation protocols, designated personnel are responsible for handling and managing potential cybersecurity incidents.
We have relationships with a number of third-party service providers to assist with cybersecurity incident containment and remediation efforts.
Governance
Management Oversight
The controls and processes employed to assess, identify and manage material risks from cybersecurity threats are implemented and overseen by our Vice President of Information Technology (VP of IT) in conjunction with our managed service provider. The current VP of IT brings over 25 years of experience in IT, having held senior positions in technology management and cybersecurity at publicly traded biotechnology companies. This experience includes spearheading large-scale IT transformations, overseeing the implementation of security frameworks, such as NIST CSF, and developing and maintaining tools and processes to safeguard confidential data. Additionally, the VP of IT has directed comprehensive cybersecurity strategies tailored to the unique challenges of the pharmaceutical industry.
Our managed service provider is a System and Organization Controls (SOC) 2 accredited IT services firm that completed an annual audit, providing evidence of ongoing compliance to obtain the SOC 2 designation. This managed service provider has over a decade of experience delivering services and consulting related to regulatory security requirements. Our managed service provider is responsible for the day-to-day management of our cybersecurity program, including the prevention, detection, investigation, response to, and recovery from cybersecurity threats and incidents, and is regularly engaged to ensure that our cybersecurity program is designed to function effectively in the face of evolving cybersecurity threats. The managed service provider provides regular briefings to members of our management team on cybersecurity matters, including threats, events and program enhancements.
Board Oversight
The Board of Directors (Board), acting through the Audit Committee of the Board (Audit Committee), has overall responsibility for risk oversight and oversees cybersecurity risk matters. The Audit Committee is responsible for reviewing, discussing with management and overseeing the Company’s data privacy, information technology and security and cybersecurity risk exposures. On a regular basis, the VP of IT reports to the Audit Committee on information technology and cybersecurity matters, including key risks, the potential impact of those exposures on the Company’s business, financial results, operations and reputation, the programs and steps implemented by management to monitor and mitigate exposures, the Company’s information governance and cybersecurity policies and programs, and significant legal and regulatory developments that could materially impact the Company’s cybersecurity risk exposure.
The VP of IT is also responsible for apprising the Audit Committee of cybersecurity incidents promptly for more significant incidents and in the aggregate for less significant incidents.
Cybersecurity Risks
Our senior management identifies, assesses and evaluates risks impacting our operations across the Company, including those risks related to cybersecurity. Senior management is asked to consider the severity and likelihood of certain risk factors, drawing upon their knowledge of the Company and past business experience.
We maintain specific insurance coverage to mitigate losses associated with cybersecurity incidents that impact our or our third parties’ systems, networks, and technology.
As of December 31, 2024, we are not aware of any material risks from cybersecurity threats, including as a result of any previous cybersecurity incidents, that have materially affected the business strategy, results of operations or financial condition of the Company or are reasonably likely to have such a material effect. While we maintain a comprehensive cybersecurity program, the techniques used to infiltrate information technology systems continue to evolve. Accordingly, we may not be able to timely detect threats or anticipate and implement adequate security measures. For additional information, see “Item 1A—Risk Factors.”
|Cybersecurity Risk Management Third Party Engaged [Flag]
|true
|Cybersecurity Risk Third Party Oversight and Identification Processes [Flag]
|true
|Cybersecurity Risk Materially Affected or Reasonably Likely to Materially Affect Registrant [Text Block]
|we are not aware of any material risks from cybersecurity threats, including as a result of any previous cybersecurity incidents, that have materially affected the business strategy, results of operations or financial condition of the Company or are reasonably likely to have such a material effect.
|Cybersecurity Risk Board of Directors Oversight [Text Block]
|
Board Oversight
The Board of Directors (Board), acting through the Audit Committee of the Board (Audit Committee), has overall responsibility for risk oversight and oversees cybersecurity risk matters. The Audit Committee is responsible for reviewing, discussing with management and overseeing the Company’s data privacy, information technology and security and cybersecurity risk exposures. On a regular basis, the VP of IT reports to the Audit Committee on information technology and cybersecurity matters, including key risks, the potential impact of those exposures on the Company’s business, financial results, operations and reputation, the programs and steps implemented by management to monitor and mitigate exposures, the Company’s information governance and cybersecurity policies and programs, and significant legal and regulatory developments that could materially impact the Company’s cybersecurity risk exposure.
The VP of IT is also responsible for apprising the Audit Committee of cybersecurity incidents promptly for more significant incidents and in the aggregate for less significant incidents.
|Cybersecurity Risk Board Committee or Subcommittee Responsible for Oversight [Text Block]
|The Board of Directors (Board), acting through the Audit Committee of the Board (Audit Committee), has overall responsibility for risk oversight and oversees cybersecurity risk matters. The Audit Committee is responsible for reviewing, discussing with management and overseeing the Company’s data privacy, information technology and security and cybersecurity risk exposures.
|Cybersecurity Risk Process for Informing Board Committee or Subcommittee Responsible for Oversight [Text Block]
|On a regular basis, the VP of IT reports to the Audit Committee on information technology and cybersecurity matters, including key risks, the potential impact of those exposures on the Company’s business, financial results, operations and reputation, the programs and steps implemented by management to monitor and mitigate exposures, the Company’s information governance and cybersecurity policies and programs, and significant legal and regulatory developments that could materially impact the Company’s cybersecurity risk exposure.
|Cybersecurity Risk Role of Management [Text Block]
|
Management Oversight
The controls and processes employed to assess, identify and manage material risks from cybersecurity threats are implemented and overseen by our Vice President of Information Technology (VP of IT) in conjunction with our managed service provider. The current VP of IT brings over 25 years of experience in IT, having held senior positions in technology management and cybersecurity at publicly traded biotechnology companies. This experience includes spearheading large-scale IT transformations, overseeing the implementation of security frameworks, such as NIST CSF, and developing and maintaining tools and processes to safeguard confidential data. Additionally, the VP of IT has directed comprehensive cybersecurity strategies tailored to the unique challenges of the pharmaceutical industry.
Our managed service provider is a System and Organization Controls (SOC) 2 accredited IT services firm that completed an annual audit, providing evidence of ongoing compliance to obtain the SOC 2 designation. This managed service provider has over a decade of experience delivering services and consulting related to regulatory security requirements. Our managed service provider is responsible for the day-to-day management of our cybersecurity program, including the prevention, detection, investigation, response to, and recovery from cybersecurity threats and incidents, and is regularly engaged to ensure that our cybersecurity program is designed to function effectively in the face of evolving cybersecurity threats. The managed service provider provides regular briefings to members of our management team on cybersecurity matters, including threats, events and program enhancements.
|Cybersecurity Risk Management Positions or Committees Responsible [Flag]
|true
|Cybersecurity Risk Management Positions or Committees Responsible [Text Block]
|Our senior management identifies, assesses and evaluates risks impacting our operations across the Company, including those risks related to cybersecurity.
|Cybersecurity Risk Management Expertise of Management Responsible [Text Block]
|The current VP of IT brings over 25 years of experience in IT, having held senior positions in technology management and cybersecurity at publicly traded biotechnology companies. This experience includes spearheading large-scale IT transformations, overseeing the implementation of security frameworks, such as NIST CSF, and developing and maintaining tools and processes to safeguard confidential data. Additionally, the VP of IT has directed comprehensive cybersecurity strategies tailored to the unique challenges of the pharmaceutical industry.This managed service provider has over a decade of experience delivering services and consulting related to regulatory security requirements.
|Cybersecurity Risk Process for Informing Management or Committees Responsible [Text Block]
|Our managed service provider is responsible for the day-to-day management of our cybersecurity program, including the prevention, detection, investigation, response to, and recovery from cybersecurity threats and incidents, and is regularly engaged to ensure that our cybersecurity program is designed to function effectively in the face of evolving cybersecurity threats.
|Cybersecurity Risk Management Positions or Committees Responsible Report to Board [Flag]
|true
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef