Our information technology systems, or those used by our third‑party research institution collaborators, CROs, CMOs, or other contractors or consultants, may fail or suffer cyberattacks or security breaches.
We are increasingly dependent upon information technology systems, infrastructure and data to operate our business. In the ordinary course of business, we collect, store and transmit confidential information (including but not limited to intellectual property, proprietary business information, clinical trial data, and personal information of our employees and contractors). It is critical that we do so in a secure manner to maintain the confidentiality and integrity of such confidential information. We also have outsourced elements of our operations to third parties, and as a result we manage a number of third‑party contractors who have access to our confidential information.
We face numerous and evolving cybersecurity risks that threaten the confidentiality, integrity and availability of our information technology systems and confidential information. Despite the implementation of security measures, our information technology systems and those of our CROs, CMOs, and other contractors and consultants are vulnerable to attack, damage, or interruption from diverse threat vectors, including hacking, cyberattacks, “phishing” attacks and other social engineering schemes, computer viruses and malware (e.g., ransomware), misconfigurations, “bugs” or other vulnerabilities, malicious code, denial or degradation of service attacks, sophisticated nation‑state and nation‑state supported actors, unauthorized access or use by persons within our organization, natural disasters, terrorism, war and telecommunication and electrical failures, employee theft or misuse, human error, and fraud. Attacks upon information technology systems are increasing in their frequency, levels of persistence, sophistication and intensity, and are being conducted by sophisticated and organized groups and individuals with a wide range of motives and expertise. As a result of the continued hybrid working environment, we also face increased cybersecurity risks due to our reliance on internet technology and the number of our employees who are working remotely, which may create additional opportunities for cybercriminals to exploit vulnerabilities. Further, any integration of artificial intelligence in our or any third party’s operations, products or services is expected to pose new or unknown cybersecurity risks and challenges.
We and certain of our service providers are from time to time subject to cyberattacks and security incidents, including social engineering and phishing attacks. Furthermore, because the techniques used to obtain unauthorized access to, or to sabotage, systems change frequently and often are not recognized until launched against a target, we may be unable to anticipate these techniques or implement adequate preventative measures. We may also experience security breaches that may remain undetected for an extended period. Even if identified, we may be unable to adequately investigate or remediate incidents or breaches due to attackers increasingly using tools and techniques – including artificial intelligence – that are designed to circumvent controls, to avoid detection, and to remove or obfuscate forensic evidence. Although to our knowledge we have not experienced any such material system failure, accident, or security breach to date, if such an event were to occur and negatively affect, our operations, it could result in a material disruption of our development programs and our business operations. For example, the loss of clinical trial data from completed or future clinical trials could result in delays in our regulatory approval efforts and significantly increase our costs to recover or reproduce the data. Further, we cannot ensure that our data protection efforts and our investment in information technology will prevent significant breakdowns, data leakages, breaches in our systems or other cyber incidents that could have a material adverse effect upon our reputation, business, operations or financial condition. There can be no assurance that our cybersecurity risk management program and processes, including our policies, controls or procedures, will be fully implemented, complied with or effective in protecting our information technology systems and confidential information.
Likewise, we rely on our third‑party research institution collaborators for research and development of our product candidates and other third parties for the manufacture of our product candidates and to conduct clinical trials, and similar events relating to their information technology systems could also have a material adverse effect on our business. To the extent that any disruption or security incident were to result in an actual or perceived loss of, or damage to, our data or applications, or inappropriate disclosure of confidential or proprietary information or patient information, we could incur liability and the further development and commercialization of our product candidates could be delayed. Furthermore, significant disruptions of our internal information technology systems or security breaches could result in the loss, misappropriation, and/or unauthorized access, use, or disclosure of, or the prevention of access to, confidential information (including trade secrets or other intellectual property, proprietary business information, and personal information), which could result in financial, legal, business, and reputational harm to us. For example, any such event that leads to unauthorized access, use, or disclosure of personal information, including personal information regarding our clinical trial subjects or employees, could harm our reputation directly, compel us to comply with federal and/or state breach notification laws and foreign law equivalents, subject us to mandatory corrective action, and otherwise subject us to liability under laws and regulations that protect the privacy and security of personal information, which could result in significant legal and financial exposure and reputational damages that could potentially have an adverse effect on our business. Further, our insurance coverage may not be sufficient to cover the financial, legal, business or reputational losses that may result from an interruption or breach of our systems.
We have entered and expect to enter into collaboration, license, contract research and/or manufacturing relationships with organizations that operate in certain countries that are at heightened risk of theft of technology, data and intellectual property through direct intrusion by private parties or foreign actors, including those affiliated with or controlled by state actors. Accordingly, our efforts to protect and enforce our intellectual property rights around the world may be inadequate to obtain a significant commercial advantage from the intellectual property that we develop or license, and we may be at heightened risk of losing our proprietary intellectual property rights
