76
Cyberattacks or other failures in our or our third-party vendors’, contractors’ or consultants’ telecommunications
or information
technology systems could result in information theft, compromise, or other unauthorized access, data corruption and significant
disruption of our business operations, and could harm our reputation and subject us to liability, lawsuits and actions from
governmental authorities.
The success of our research and development programs depends on data which is stored and transmitted digitally, the corruption or
loss of which could cause significant setback to one or all of our programs. We face a number of risks related to our use, processing,
storage and security of this critical information, including loss of access, inappropriate use or disclosure, inappropriate
modification
corruption, unauthorized access or processing. Because we use third-party vendors and subcontractors to manage our sensitive
information, we also may not have the ability to adequately monitor, audit or modify the security controls over this critical
information. Despite the implementation of security measures, given the size and complexity of our internal information technology
(“IT”) systems and those of our third-party vendors, contractors and consultants, such IT systems are potentially vulnerable
to
breakdown or other damage or interruption from service interruptions, system malfunction, natural disasters, terrorism, war, and
telecommunication and electrical failures.
Cyber threats are persistent and constantly evolving. Such threats, which may include ransomware or other malware, phishing attacks,
denial of services attacks, man-in-the-middle attacks and others, have increased in frequency, scope and potential impact in recent
years, which increase the difficulty of detecting and successfully defending against them. We may not be able to anticipate all types of
security threats, and, despite our efforts, we may not be able to implement preventive measures effective against all such security
threats. The techniques used by cyber criminals change frequently, may not be recognized until launched, and can originate from a
wide variety of sources, including outside groups such as external service providers, organized crime affiliates, terrorist organizations
or hostile foreign governments or agencies. There can be no assurance that we or our third-party service providers, contractors
or
consultants will be successful in preventing cyberattacks or successfully mitigating their effects. Our IT systems and those of our
third-party service providers, contractors or consultants are additionally vulnerable to security breaches from inadvertent
or intentional
actions by our employees, third-party vendors, contractors, consultants, business partners and/or other third parties. These threats pose
a risk to the security of our systems and networks, the confidentiality and the availability, security and integrity of our data, and these
risks apply both to us and to third parties on whose systems we rely for the conduct of our business. If the IT systems of our third-
party vendors and other contractors and consultants become subject to disruptions or security breaches, we may have insufficient
recourse against such third parties and we may have to expend significant resources to mitigate the impact of such an event, and to
develop and implement protections to prevent future events of a similar nature from occurring. Any cyberattack or destruction or loss
of, unauthorized access to, processing of, or exfiltration of data could have a material adverse effect on our business, financial
condition, results of operations and prospects. For example, if such an event were to occur and cause interruptions in our operations,
or those of our third-party vendors and other contractors and consultants, it could result in a material disruption or delay of the
development of our product candidates. In addition, we may suffer reputational harm or face litigation or adverse regulatory action as
a result of cyberattacks or other data security breaches, particularly those involving personal information or protected health
information, and may incur significant additional expense to implement further data protection measures. As cyber
threats continue to
evolve, we may be required to incur material additional expenses in order to enhance our protective measures or to remediate any
information security vulnerability.
We are subject to stringent privacy laws, information security laws, regulations, policies and contractual obligations related to data
privacy and security and changes in such laws, regulations, policies and contractual obligations could adversely affect our
business, financial condition, results of operations and prospects.
We are subject to data privacy and security laws and regulations that apply to the collection, transmission, storage, use, processing,
destruction, retention and security of personal information, which among other things, including additional laws or regulations relating
to health information. The legislative and regulatory landscape for privacy and data protection continues to evolve in jurisdictions
worldwide, and these laws may at times be conflicting. It is possible that these laws may be interpreted and applied in a manner
that is
inconsistent with our practices and our efforts to comply with the evolving data protection rules may be unsuccessful. We must devote
significant resources to understanding and complying with this changing landscape. Failure to comply with federal,
state and
international laws regarding privacy and security of personal information could expose us to penalties under such laws,
orders
requiring that we change our practices, claims for damages or other liabilities, regulatory investigations and enforcement action,
litigation and significant costs for remediation, any of which could adversely affect our business. Even if we are not determined to
have violated these laws, government investigations into these issues typically require the expenditure of significant resources and
generate negative publicity, which have a material adverse effect on our business, financial condition, results of operations and
prospects. Failure to comply with any of these laws and regulations could result in enforcement action against us, including fines,
criminal prosecution of employees, claims for damages by affected individuals and damage to our reputation and loss of goodwill, any
of which could have a material adverse effect on our business, financial condition, results of operations and prospects. Additionally, if
we are unable to properly protect the privacy and security of personal information, including protected health information, we could
be found to have breached our contracts with certain third parties.