We operate in the biotechnology industry, where the protection of sensitive information and the continuity of our operations are critical. We are subject to cybersecurity risks which could adversely affect our business, financial condition, or results of operations. We maintain a risk-based cybersecurity program designed to identify, assess, and mitigate cybersecurity threats. Our program incorporates applicable industry standards and is managed through a cross-functional approach involving our Information Technology, legal, compliance, and other relevant teams. It is overseen by our Chief Information Officer (“CIO”), who is responsible for the day-to-day management of cybersecurity risks and the implementation of our information security program and incident response plans.

Our risk management activities include periodic assessments, vulnerability testing, and tabletop exercises, as well as regular engagement with third-party experts to perform independent security assessments. We have expanded employee training and phishing simulations, and we conduct ongoing monitoring of access to our systems, including oversight of third-party vendors and service providers. The results of assessments and reviews are reported to senior management and the Audit Committee, and our policies and controls are updated as necessary.

 While we have experienced a cybersecurity incident in the past and encounter cybersecurity threats from time to time in the ordinary course of business, none to date have had a material adverse effect on our business, financial condition, results of operations or cash flows. Despite our proactive measures, including expanded employee training and enhanced vendor oversight, cybersecurity threats continue to evolve, and no system can be entirely secure. A future cybersecurity incident could materially impact our operations, financial results, or reputation.

Risk Management and Strategy

 As part of our overall risk management framework, our cybersecurity program takes a comprehensive, layered approach to identifying, preventing and mitigating cybersecurity threats and incidents. This includes implementing controls and escalation procedures to ensure that significant incidents are promptly communicated to management for timely decision-making regarding public disclosure and regulatory reporting.

 We deploy multiple technical safeguards designed to protect our information systems, including firewalls, intrusion prevention and detection systems, anti-malware tools, access controls, and continuous monitoring. These safeguards are evaluated and enhanced through regular vulnerability assessments, penetration testing and ongoing cybersecurity threat intelligence.

 We maintain formal incident response and recovery plans that define our procedures for addressing cybersecurity incidents. These plans are tested, updated, and refined on a regular basis to ensure readiness.

 We apply a risk-based approach to managing cybersecurity risks posed by third parties, including vendors, contract research organizations, service providers and other external users of the our systems. This also includes assessing and overseeing risks related to third-party systems that, if compromised, could negatively impact our business operations.

 While we have experienced a cybersecurity incident in the past and encounter cybersecurity threats from time to time in the ordinary course of business, none to date have had a material adverse effect on our business, financial condition, results of operations or cash flows. Despite our proactive measures, including expanded employee training and enhanced vendor oversight, cybersecurity threats continue to evolve, and no system can be entirely secure. A future cybersecurity incident could materially impact our operations, financial results, or reputation.