XML 55 R35.htm IDEA: XBRL DOCUMENT v3.25.0.1
Cybersecurity Risk Management and Strategy Disclosure
 12 Months Ended
Dec. 31, 2024
Cybersecurity Risk Management, Strategy, and Governance [Line Items]  
Cybersecurity Risk Management Processes for Assessing, Identifying, and Managing Threats [Text Block]
Cyberattacks continue to evolve in sophistication and frequency. Among other things, an attack could impair our ability to interact with customers and suppliers, fulfill orders, generate invoices, collect and make payments, ship products, provide support to customers, fulfill contractual obligations and otherwise perform business functions.
Management has implemented a program (“Program”), which is part of our overall Enterprise Risk Management system, focused on the assessment, identification, and management of material risks associated with cybersecurity threats. The Program was developed and is managed by our Vice President of Information Security and Privacy (CISSP, CISM and CISA) with oversight from the Chief Information Officer. Both leaders collectively have over 60 years of technology risk and cybersecurity work experience supporting multiple life science organizations. The Program is also closely aligned with the Legal and Global Compliance organizations to oversee adherence with legal, regulatory and contractual requirements from an information security and data privacy perspective.
Industry standard frameworks including International Organization of Standardization (ISO)/27001 and National Institute of Standards and Technology (NIST) are the foundation of the Program, which includes but is not limited to the fundamental security principles of least privilege access, event monitoring, vulnerability management, education, third-party risk management and incident response. The Program leverages external subject-matter experts that assist with identifying and remediating security risks present in our environment through threat hunting and vulnerability/control testing with a focus on the latest attack vectors. These external experts bring to bear risk mitigation tactics based on current threats observed across multiple organizations with similar risk profiles.
Key Program activities include:
Annual risk assessment to evaluate our profile against cyber risk threats;
Global policies based on the guiding principles of security by design and least-privilege access;
Maintenance of a critical incident response plan and simulation programs, which include procedures to comply with material security incident reporting requirements in collaboration with key members of Executive Management;
A communication framework designed to ensure that the individuals managing the Program are informed about, and in position to monitor the prevention, detection, mitigation, and remediation of, cybersecurity incidents;
Internal and external security assessments and testing to determine our susceptibility to compromise, lateral movement, privilege escalation and overall cybersecurity internal control posture;
Routine phishing simulations to identify areas for control enhancement and additional training;
Periodic end-user security training and cyber-threat awareness;
Suite of tools and processes to minimize the risk of security compromise in addition to detect controls alerting of potential malicious activity; and
Review and approval process focused on evaluating cybersecurity posture and internal controls relating to third party service providers.
Cybersecurity Risk Management Processes Integrated [Flag] true
Cybersecurity Risk Management Processes Integrated [Text Block] Management has implemented a program (“Program”), which is part of our overall Enterprise Risk Management system, focused on the assessment, identification, and management of material risks associated with cybersecurity threats. The Program was developed and is managed by our Vice President of Information Security and Privacy (CISSP, CISM and CISA) with oversight from the Chief Information Officer. Both leaders collectively have over 60 years of technology risk and cybersecurity work experience supporting multiple life science organizations. The Program is also closely aligned with the Legal and Global Compliance organizations to oversee adherence with legal, regulatory and contractual requirements from an information security and data privacy perspective
Cybersecurity Risk Management Third Party Engaged [Flag] true
Cybersecurity Risk Third Party Oversight and Identification Processes [Flag] true
Cybersecurity Risk Materially Affected or Reasonably Likely to Materially Affect Registrant [Flag] false
Cybersecurity Risk Board of Directors Oversight [Text Block] The Audit Committee of the Board of Directors receives an update from the members of management referenced above on our security posture on at least an annual basis, and more often as needed. The Audit Committee provides oversight as to the status of our cybersecurity apparatus and overall Program management (including with respect to the identification and implementation of planned security enhancements), while also advising on risk mitigation activities to address the latest threats.
Cybersecurity Risk Board Committee or Subcommittee Responsible for Oversight [Text Block] The Audit Committee provides oversight as to the status of our cybersecurity apparatus and overall Program management (including with respect to the identification and implementation of planned security enhancements), while also advising on risk mitigation activities to address the latest threats.
Cybersecurity Risk Process for Informing Board Committee or Subcommittee Responsible for Oversight [Text Block] The Audit Committee provides oversight as to the status of our cybersecurity apparatus and overall Program management (including with respect to the identification and implementation of planned security enhancements), while also advising on risk mitigation activities to address the latest threats
Cybersecurity Risk Role of Management [Text Block]
The Audit Committee of the Board of Directors receives an update from the members of management referenced above on our security posture on at least an annual basis, and more often as needed. The Audit Committee provides oversight as to the status of our cybersecurity apparatus and overall Program management (including with respect to the identification and implementation of planned security enhancements), while also advising on risk mitigation activities to address the latest threats.
To date, we have not experienced any known cybersecurity incidents that have materially affected or are reasonably likely to materially affect us in the future, including our business strategy, results of operations, or financial condition.
Cybersecurity Risk Management Positions or Committees Responsible [Flag] true
Cybersecurity Risk Management Positions or Committees Responsible [Text Block] The Audit Committee of the Board of Directors receives an update from the members of management referenced above on our security posture on at least an annual basis, and more often as needed. The Audit Committee provides oversight as to the status of our cybersecurity apparatus and overall Program management (including with respect to the identification and implementation of planned security enhancements), while also advising on risk mitigation activities to address the latest threats.
Cybersecurity Risk Management Expertise of Management Responsible [Text Block] The Program is also closely aligned with the Legal and Global Compliance organizations to oversee adherence with legal, regulatory and contractual requirements from an information security and data privacy perspective.
Cybersecurity Risk Process for Informing Management or Committees Responsible [Text Block] The Program leverages external subject-matter experts that assist with identifying and remediating security risks present in our environment through threat hunting and vulnerability/control testing with a focus on the latest attack vectors. These external experts bring to bear risk mitigation tactics based on current threats observed across multiple organizations with similar risk profiles.
Key Program activities include:
Annual risk assessment to evaluate our profile against cyber risk threats;
Global policies based on the guiding principles of security by design and least-privilege access;
Maintenance of a critical incident response plan and simulation programs, which include procedures to comply with material security incident reporting requirements in collaboration with key members of Executive Management;
A communication framework designed to ensure that the individuals managing the Program are informed about, and in position to monitor the prevention, detection, mitigation, and remediation of, cybersecurity incidents;
Internal and external security assessments and testing to determine our susceptibility to compromise, lateral movement, privilege escalation and overall cybersecurity internal control posture;
Routine phishing simulations to identify areas for control enhancement and additional training;
Periodic end-user security training and cyber-threat awareness;
Suite of tools and processes to minimize the risk of security compromise in addition to detect controls alerting of potential malicious activity; and
Review and approval process focused on evaluating cybersecurity posture and internal controls relating to third party service providers.
Cybersecurity Risk Management Positions or Committees Responsible Report to Board [Flag] true