|
Cybersecurity Risk Management and Strategy Disclosure
|12 Months Ended
Dec. 31, 2025
|Cybersecurity Risk Management, Strategy, and Governance [Line Items]
|Cybersecurity Risk Management Processes for Assessing, Identifying, and Managing Threats [Text Block]
|
We rely on information technology and data to operate our business and develop, market, and deliver our therapies to our customers. We have implemented and maintain various information security processes designed to identify, assess, and manage material risks from cybersecurity threats to critical computer networks, third-party hosted services, communications systems, hardware, lab equipment, software, and our critical data, including confidential, personal, proprietary, and sensitive data (collectively, Information Assets). Accordingly, we maintain certain risk assessment processes intended to identify cybersecurity threats, determine their likelihood of occurring, and assess potential material impact to our business. Based on our assessment, we implement and maintain risk management processes designed to protect the confidentiality, integrity, and availability of our Information Assets and mitigate harm to our business. Our cybersecurity program is informed in part by the National Institute of Standards and Technology (NIST) Cybersecurity Framework, and identified cybersecurity risks are documented and tracked within a formal cybersecurity risk register.
Our general risk management program is designed to manage identified material risks, which include material cybersecurity risks.
We engage in processes designed to identify such threats by, among other things, monitoring the threat environment using manual and automated tools, subscribing to reports and services that identify cybersecurity threats, analyzing reports of threats and actors, conducting scans of the threat environment, evaluating our and our industry’s risk profile, evaluating threats reported to us, coordinating with law enforcement concerning threats, conducting threat assessments for internal and external threats, and conducting vulnerability assessments to identify vulnerabilities. We also conduct annual third-party penetration testing, maintain external cybersecurity incident response partners who can assist in the event of an incident, and conduct annual incident-response tabletop exercises to evaluate and improve our readiness.
We rely on a multidisciplinary team (including personnel from management, and third-party service providers, as described further below) to assess how identified cybersecurity threats could impact our business. These assessments may leverage, among other processes, industry tools and metrics designed to assist in the assessment of risks from such cybersecurity threats.
Depending on the environment, we implement and maintain various technical, physical, and organizational measures designed to manage and mitigate material risks from cybersecurity threats to our Information Assets. The cybersecurity risk management and mitigation measures we implement for certain of our Information Assets include:
•policies and procedures designed to address cybersecurity threats, including an incident response plan, vulnerability management policy, and disaster recovery/business continuity plans, which are evaluated periodically;
•incident detection and response tools;
•internal and/or external audits to assess our exposure to cybersecurity threats, environment, compliance with risk mitigation procedures, and effectiveness of relevant controls;
•documented risk assessments;
•implementation of security standards/certifications;
•encryption of data;
•network security controls;
•threat modeling;
•data segregation;
•physical and electronic access controls;
•physical security;
•asset management, tracking, and disposal;
•systems monitoring;
•vendor risk management program;
•employee security training, including mandatory annual cybersecurity training for all employees and additional role-based training where appropriate, with contractors who have access to our systems also required to complete cybersecurity training, as well as regular phishing simulations;
•penetration testing, including annual third-party penetration testing;
•red/blue team exercises;
•cyber insurance; and
•dedicated cybersecurity staff and officers.
We work with third parties from time to time that assist us in identifying, assessing, and managing cybersecurity risks, including professional services firms, threat intelligence service providers, cybersecurity consultants, cybersecurity software providers, managed cybersecurity service providers, and penetration testing firms.
To operate our business, we utilize certain third-party service providers to perform a variety of functions, such as outsourced business-critical functions, clinical research, professional services, Software as a Service (SaaS) platforms, managed services, property management, cloud-based infrastructure, data-center facilities, content delivery, encryption and authentication technology, corporate productivity services, and other functions. We have certain vendor management processes designed to help manage cybersecurity risks associated with our use of these providers. Depending on the nature of the services provided, the sensitivity and quantity of information processed, and the identity of the service provider, our vendor management process may include reviewing the cybersecurity practices of such provider, contractually imposing obligations on the provider related to the services provided and/or the information processed (including requirements that service providers notify us of certain cybersecurity incidents), conducting security assessments, conducting on-site inspections, requiring completion of written questionnaires regarding the service provider’s services and data-handling practices, and conducting periodic re-assessments of critical or high-risk providers during their engagement.
For a description of the risks from cybersecurity threats that may materially affect us and how they may do so, see Part I, Item 1A. Risk Factors for additional information about cybersecurity-related risks.
|Cybersecurity Risk Management Processes Integrated [Flag]
|true
|Cybersecurity Risk Management Processes Integrated [Text Block]
|
We engage in processes designed to identify such threats by, among other things, monitoring the threat environment using manual and automated tools, subscribing to reports and services that identify cybersecurity threats, analyzing reports of threats and actors, conducting scans of the threat environment, evaluating our and our industry’s risk profile, evaluating threats reported to us, coordinating with law enforcement concerning threats, conducting threat assessments for internal and external threats, and conducting vulnerability assessments to identify vulnerabilities. We also conduct annual third-party penetration testing, maintain external cybersecurity incident response partners who can assist in the event of an incident, and conduct annual incident-response tabletop exercises to evaluate and improve our readiness.
We rely on a multidisciplinary team (including personnel from management, and third-party service providers, as described further below) to assess how identified cybersecurity threats could impact our business. These assessments may leverage, among other processes, industry tools and metrics designed to assist in the assessment of risks from such cybersecurity threats.
|Cybersecurity Risk Management Third Party Engaged [Flag]
|true
|Cybersecurity Risk Third Party Oversight and Identification Processes [Flag]
|true
|Cybersecurity Risk Materially Affected or Reasonably Likely to Materially Affect Registrant [Flag]
|false
|Cybersecurity Risk Board of Directors Oversight [Text Block]
|
Our cybersecurity risk assessment and management processes are implemented and maintained by certain of our management, including our Chief Information Officer (CIO), who reports to the Chief Financial Officer (CFO), and our Head of Cyber Security, who reports to the CIO and is responsible for day-to-day cybersecurity operations. Our CIO has 24 years of experience in global information technology leadership focused on digital transformation and artificial intelligence (AI) automation, including establishing responsible AI councils and leading AI governance. Our Head of Cyber Security has 25 years of experience in cybersecurity, including security operations, incident response, vulnerability management, penetration testing, identity and access management, security architecture, AI security and governance, and third-party risk management, and holds a Master of Science in Cyber Security and a Bachelor of Science in Information Systems, maintains industry certifications including Certified Information Systems Security Professional (CISSP), and is a Digital Directors Network Boardroom Qualified Technology Expert (QTE).
Management is also responsible for hiring appropriate personnel, integrating cybersecurity considerations into our overall risk management strategy, communicating key priorities to employees, approving budgets, preparing for cybersecurity incidents, approving cybersecurity processes, and reviewing security assessments and other security-related reports. Our cybersecurity incident response and vulnerability management processes involve management who participates in our disclosure controls and procedures.
Our cybersecurity incident response and vulnerability management processes are designed to escalate certain cybersecurity incidents and vulnerabilities to members of management depending on the circumstances, and significant cybersecurity incidents are immediately escalated to executive management. Our incident response team is cross-functional and includes representatives from the CIO’s organization, the Head of Cyber Security, Legal, Finance, Compliance/Privacy, and Communications. This team works together to help mitigate and remediate cybersecurity incidents. In addition, ours incident response processes include reporting to the Audit Committee for certain cybersecurity incidents.
Management is involved with our efforts to prevent, detect, and mitigate cybersecurity incidents by overseeing preparation of cybersecurity policies and procedures, testing of incident response plans (including annual tabletop exercises), and engagement of vendors to conduct penetration tests. Management participates in cybersecurity incident response efforts by being part of the incident response team and helping direct our response to cybersecurity incidents.
Our Board of Directors addresses our cybersecurity risk management as part of its general oversight function. The Audit Committee is responsible for overseeing our cybersecurity risk management processes, including oversight and mitigation of risks from cybersecurity threats. The Head of Cyber Security briefs the Audit Committee on cybersecurity matters quarterly, and the Audit Committee also has access to various reports, summaries, and/or presentations related to cybersecurity threats, risks, and mitigation.
|Cybersecurity Risk Board Committee or Subcommittee Responsible for Oversight [Text Block]
|In addition, ours incident response processes include reporting to the Audit Committee for certain cybersecurity incidents.
|Cybersecurity Risk Process for Informing Board Committee or Subcommittee Responsible for Oversight [Text Block]
|
Our cybersecurity risk assessment and management processes are implemented and maintained by certain of our management, including our Chief Information Officer (CIO), who reports to the Chief Financial Officer (CFO), and our Head of Cyber Security, who reports to the CIO and is responsible for day-to-day cybersecurity operations. Our CIO has 24 years of experience in global information technology leadership focused on digital transformation and artificial intelligence (AI) automation, including establishing responsible AI councils and leading AI governance. Our Head of Cyber Security has 25 years of experience in cybersecurity, including security operations, incident response, vulnerability management, penetration testing, identity and access management, security architecture, AI security and governance, and third-party risk management, and holds a Master of Science in Cyber Security and a Bachelor of Science in Information Systems, maintains industry certifications including Certified Information Systems Security Professional (CISSP), and is a Digital Directors Network Boardroom Qualified Technology Expert (QTE).
Management is also responsible for hiring appropriate personnel, integrating cybersecurity considerations into our overall risk management strategy, communicating key priorities to employees, approving budgets, preparing for cybersecurity incidents, approving cybersecurity processes, and reviewing security assessments and other security-related reports. Our cybersecurity incident response and vulnerability management processes involve management who participates in our disclosure controls and procedures.
|Cybersecurity Risk Role of Management [Text Block]
|
Our cybersecurity risk assessment and management processes are implemented and maintained by certain of our management, including our Chief Information Officer (CIO), who reports to the Chief Financial Officer (CFO), and our Head of Cyber Security, who reports to the CIO and is responsible for day-to-day cybersecurity operations. Our CIO has 24 years of experience in global information technology leadership focused on digital transformation and artificial intelligence (AI) automation, including establishing responsible AI councils and leading AI governance. Our Head of Cyber Security has 25 years of experience in cybersecurity, including security operations, incident response, vulnerability management, penetration testing, identity and access management, security architecture, AI security and governance, and third-party risk management, and holds a Master of Science in Cyber Security and a Bachelor of Science in Information Systems, maintains industry certifications including Certified Information Systems Security Professional (CISSP), and is a Digital Directors Network Boardroom Qualified Technology Expert (QTE).
Management is also responsible for hiring appropriate personnel, integrating cybersecurity considerations into our overall risk management strategy, communicating key priorities to employees, approving budgets, preparing for cybersecurity incidents, approving cybersecurity processes, and reviewing security assessments and other security-related reports. Our cybersecurity incident response and vulnerability management processes involve management who participates in our disclosure controls and procedures.
|Cybersecurity Risk Management Positions or Committees Responsible [Flag]
|true
|Cybersecurity Risk Management Positions or Committees Responsible [Text Block]
|
Our cybersecurity risk assessment and management processes are implemented and maintained by certain of our management, including our Chief Information Officer (CIO), who reports to the Chief Financial Officer (CFO), and our Head of Cyber Security, who reports to the CIO and is responsible for day-to-day cybersecurity operations. Our CIO has 24 years of experience in global information technology leadership focused on digital transformation and artificial intelligence (AI) automation, including establishing responsible AI councils and leading AI governance. Our Head of Cyber Security has 25 years of experience in cybersecurity, including security operations, incident response, vulnerability management, penetration testing, identity and access management, security architecture, AI security and governance, and third-party risk management, and holds a Master of Science in Cyber Security and a Bachelor of Science in Information Systems, maintains industry certifications including Certified Information Systems Security Professional (CISSP), and is a Digital Directors Network Boardroom Qualified Technology Expert (QTE).
|Cybersecurity Risk Management Expertise of Management Responsible [Text Block]
|Management is also responsible for hiring appropriate personnel, integrating cybersecurity considerations into our overall risk management strategy, communicating key priorities to employees, approving budgets, preparing for cybersecurity incidents, approving cybersecurity processes, and reviewing security assessments and other security-related reports.
|Cybersecurity Risk Process for Informing Management or Committees Responsible [Text Block]
|
Our Board of Directors addresses our cybersecurity risk management as part of its general oversight function. The Audit Committee is responsible for overseeing our cybersecurity risk management processes, including oversight and mitigation of risks from cybersecurity threats. The Head of Cyber Security briefs the Audit Committee on cybersecurity matters quarterly, and the Audit Committee also has access to various reports, summaries, and/or presentations related to cybersecurity threats, risks, and mitigation.
|Cybersecurity Risk Management Positions or Committees Responsible Report to Board [Flag]
|true
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef