Our Board of Directors is responsible for reviewing the Company’s cybersecurity risk management and control systems in relation to the financial reporting by the Company, including the Company’s cybersecurity strategy. Our Board of Directors has delegated periodic oversight of, as appropriate cybersecurity risk management to the Audit Committee, who reports to our Board of Directors.

Our IT department is responsible for targeted and regular monitoring of cybersecurity risks. They independently and continuously monitor cybersecurity risks and countermeasures to defend against such threats and, in the event of a cybersecurity threat or cybersecurity incident, inform executive management, our Audit Committee and our Board of Directors. In addition to the regular meetings between executive management and the individual risk owners mainly consisting out of the various departments’ heads, a comprehensive cybersecurity risk analysis for internal and external risks is carried out as appropriate.

The cybersecurity risks identified and evaluated by the IT department are included in an overall risk catalogue. The identified cybersecurity risks are recorded, described, documented and evaluated in the overall risk catalogue. Changes are also documented accordingly. According to the priority of the cybersecurity risks as result of the risk evaluation, risks are addressed by concrete actions and, if appropriate and possible, necessary countermeasures. In order to be able to react quickly and flexibly to cybersecurity risks, risk management is integrated into existing processes and reporting channels. Our risk management program considers cybersecurity risks alongside other company risks, and our enterprise risk professionals consult with company subject matter experts to gather information necessary to identify cybersecurity risks and evaluate their nature and severity, as well as identify mitigations and assess the impact of those mitigations on residual risk. We may engage third parties from time to time to conduct risk assessments.

The main cybersecurity risks we continuously monitor include threats and potential incidents resulting in the unavailability of central IT systems, the loss of critical business data, data theft, intellectual property theft, fraud, extortion, harm to employees and patients, violation of privacy laws and other litigation and legal risks, and risks to our reputation. The materialization of these cybersecurity threats may materially affect or may be reasonably likely to materially affect the Company, including its business strategy, results of operations, or financial condition. The unavailability of central IT systems for example, would result in an interruption or delay of any clinical development activities of the Company. The loss of critical business data such as the results of clinical study reports and underlying information, such as tables, listings and filings, could retrospectively destroy our work of several years of clinical development and respective cost. Data theft could, if critical, confidential or proprietary business data is concerned, result in a loss in strength of competition. Intellectual property theft can jeopardize our ability to generate revenue for our shareholders. Breach of privacy laws can put our employees and patients at risk of additional cybersecurity and personal risks, which could lead to a litigation and further costs for the Company. Cybersecurity risks may also result in our Company's reputation being affected.

Executive management, our IT department and employees are the foundation of an effective cybersecurity risk management. We implemented IT security guidelines, which stipulate measures to securely handle personal data, the settings for a reasonably secure password for devices and software, the handling of mobile IT devices as well as the proper use of the internet and e-mail communication software. The Company also implemented two-factor-authentication to access and use a Company user account, including e-mail. All employees as well as all members of executive management are trained on IT security on a regular basis.

While we do not believe that our business strategy, results of operations or financial condition have been materially adversely affected by any cybersecurity incidents, we describe whether and how future incidents could have a material impact on our business strategy, results of operations or financial condition in “ITEM 3D. Risk factors—General risk factors—Cyber incidents or other failures in IT systems could result in information theft, data corruption and significant disruption of our business operations.” Additionally, although we have insurance coverage for cybersecurity events, there can be no assurance that we will be able to maintain our insurance coverage or it will be enough to cover the cost associated with one or more cybersecurity events. See “ITEM 3D. Risk factors—General risk factors—We may not be able to maintain sufficient insurance to cover us for potential litigation or other risks.”