Cybersecurity Risk Management and Strategy Disclosure |
12 Months Ended |
|---|---|
Dec. 31, 2025 | |
| Cybersecurity Risk Management, Strategy, and Governance [Line Items] | |
| Cybersecurity Risk Management Processes for Assessing, Identifying, and Managing Threats [Text Block] | The underlying controls of our Program incorporate elements of recognized industry standards for cybersecurity and information technology, including the National Institute of Standards and Technology (“NIST”) Cybersecurity Framework. We use various tools and methodologies designed to identify, manage, and test for cybersecurity risk on a regular cadence both at the enterprise level and through our use of third-party service providers. These third parties include cybersecurity managed security service providers (“MSSPs”), consultants, advisors, and auditors, who we engage to evaluate our controls, whether through penetration testing, independent audits, or consulting on best practices to address new threats or challenges. We also engage internal auditors to audit our information technology control environment, test our information technology controls, and report to us any findings. External security service firms monitor Avalo’s networks at all times, and Avalo laptops are patched frequently with up-to-date antivirus and real time threat-monitoring protection. Further, we actively engage with key vendors, industry participants, and law enforcement officials as part of our continuing efforts to evaluate and improve our Program. As part of the Program, we maintain processes related to third-party vendor cybersecurity risk management. We review and confirm controls for vendors providing critical business services and employ quality agreements and vendor audits designed to ensure vendor compliance with our Program and applicable regulatory requirements. Further, we conduct information security assessments before onboarding new vendors and upon detection of an increase in risk profile for existing vendors. We also require our third-party service providers to meet appropriate security requirements, controls and responsibilities via additional security and privacy addenda which we include in our contracts where applicable. As part of our Program, we maintain written information security policies, including an incident response plan. All Avalo employees and contractors are required to participate in annual security awareness training, which includes phishing simulations. Avalo employees are also trained on our written information security policies and the acceptable usage of systems, as well as procedures related to electronic record management. Although risks from cybersecurity threats have not materially affected, and are not reasonably likely to materially affect our company, including our business strategy, results of operations, or financial condition, to date, we may, from time to time, experience threats to and security incidents related to our and our third-party vendors’ information systems. For further information, refer to Section 1A, Risk Factors, for a discussion of risks related to cybersecurity and technology.
|
| Cybersecurity Risk Management Processes Integrated [Flag] | false |
| Cybersecurity Risk Management Processes Integrated [Text Block] | The underlying controls of our Program incorporate elements of recognized industry standards for cybersecurity and information technology, including the National Institute of Standards and Technology (“NIST”) Cybersecurity Framework. We use various tools and methodologies designed to identify, manage, and test for cybersecurity risk on a regular cadence both at the enterprise level and through our use of third-party service providers. These third parties include cybersecurity managed security service providers (“MSSPs”), consultants, advisors, and auditors, who we engage to evaluate our controls, whether through penetration testing, independent audits, or consulting on best practices to address new threats or challenges. We also engage internal auditors to audit our information technology control environment, test our information technology controls, and report to us any findings. External security service firms monitor Avalo’s networks at all times, and Avalo laptops are patched frequently with up-to-date antivirus and real time threat-monitoring protection. Further, we actively engage with key vendors, industry participants, and law enforcement officials as part of our continuing efforts to evaluate and improve our Program.
|
| Cybersecurity Risk Management Third Party Engaged [Flag] | true |
| Cybersecurity Risk Third Party Oversight and Identification Processes [Flag] | true |
| Cybersecurity Risk Materially Affected or Reasonably Likely to Materially Affect Registrant [Flag] | false |
| Cybersecurity Risk Board of Directors Oversight [Text Block] | Our Board of Directors has delegated Program oversight to the Audit Committee (the “Committee”). The Committee is composed of directors with expertise in technology, audit, finance, and compliance. The Company’s Information Security Working Group (“ISWG”) manages cybersecurity risks and oversees the design, implementation, and evaluation of the Program. The responsibilities of the ISWG include defining cybersecurity risk tolerance, guiding implementation of the Program, monitoring Program development and effectiveness, and validating investments in cybersecurity measures and infrastructure. Members of the ISWG include: the Chief Financial Officer, the Chief Legal Officer, the Senior Vice President of Human Resources, the Senior Vice President of Regulatory and Quality Assurance, and the Vice President of Information Technology. The ISWG meets semi-annually to review the effectiveness of the Program, discuss any new developments and potential improvements to the Program, and evaluate internal and external security-related events to determine how Avalo can take appropriate steps to mitigate such risks. Our Vice President of Information Technology (“VP of IT”), is responsible for Avalo’s enterprise-wide cybersecurity strategy, architecture, policies, processes, and controls, and is directly responsible for the day-to-day management of the Program. The individual serving in this role has over 20 years of experience with information technology and over 8 years of experience managing cybersecurity risk management programs. Our VP of IT reports to the Senior Vice President of Human Resources (“SVP of HR”). The VP of IT regularly informs the SVP of HR, and other members of the leadership team, about the Program, best practices, current cybersecurity threats, the cyber-risk landscape, and mitigation strategies. These reports include the following on an as-needed basis: updates on the Program; assessment of the Program; emerging risks or concerns; policies, procedures, and training; and risk mitigation strategies. The SVP of HR provides information technology and cybersecurity reports as necessary at meetings of management’s Disclosure Committee. These reports are also communicated to the Audit Committee, as necessary.
|
| Cybersecurity Risk Board Committee or Subcommittee Responsible for Oversight [Text Block] | The Committee is composed of directors with expertise in technology, audit, finance, and compliance. |
| Cybersecurity Risk Process for Informing Board Committee or Subcommittee Responsible for Oversight [Text Block] | The responsibilities of the ISWG include defining cybersecurity risk tolerance, guiding implementation of the Program, monitoring Program development and effectiveness, and validating investments in cybersecurity measures and infrastructure. Members of the ISWG include: the Chief Financial Officer, the Chief Legal Officer, the Senior Vice President of Human Resources, the Senior Vice President of Regulatory and Quality Assurance, and the Vice President of Information Technology. |
| Cybersecurity Risk Role of Management [Text Block] | We use various tools and methodologies designed to identify, manage, and test for cybersecurity risk on a regular cadence both at the enterprise level and through our use of third-party service providers. These third parties include cybersecurity managed security service providers (“MSSPs”), consultants, advisors, and auditors, who we engage to evaluate our controls, whether through penetration testing, independent audits, or consulting on best practices to address new threats or challenges. We also engage internal auditors to audit our information technology control environment, test our information technology controls, and report to us any findings. External security service firms monitor Avalo’s networks at all times, and Avalo laptops are patched frequently with up-to-date antivirus and real time threat-monitoring protection. Further, we actively engage with key vendors, industry participants, and law enforcement officials as part of our continuing efforts to evaluate and improve our Program.
|
| Cybersecurity Risk Management Positions or Committees Responsible [Flag] | true |
| Cybersecurity Risk Management Positions or Committees Responsible [Text Block] | The Company’s Information Security Working Group (“ISWG”) manages cybersecurity risks and oversees the design, implementation, and evaluation of the Program. The responsibilities of the ISWG include defining cybersecurity risk tolerance, guiding implementation of the Program, monitoring Program development and effectiveness, and validating investments in cybersecurity measures and infrastructure. Members of the ISWG include: the Chief Financial Officer, the Chief Legal Officer, the Senior Vice President of Human Resources, the Senior Vice President of Regulatory and Quality Assurance, and the Vice President of Information Technology. The ISWG meets semi-annually to review the effectiveness of the Program, discuss any new developments and potential improvements to the Program, and evaluate internal and external security-related events to determine how Avalo can take appropriate steps to mitigate such risks. |
| Cybersecurity Risk Management Expertise of Management Responsible [Text Block] | The individual serving in this role has over 20 years of experience with information technology and over 8 years of experience managing cybersecurity risk management programs. |
| Cybersecurity Risk Process for Informing Management or Committees Responsible [Text Block] | Our VP of IT reports to the Senior Vice President of Human Resources (“SVP of HR”). The VP of IT regularly informs the SVP of HR, and other members of the leadership team, about the Program, best practices, current cybersecurity threats, the cyber-risk landscape, and mitigation strategies. These reports include the following on an as-needed basis: updates on the Program; assessment of the Program; emerging risks or concerns; policies, procedures, and training; and risk mitigation strategies. The SVP of HR provides information technology and cybersecurity reports as necessary at meetings of management’s Disclosure Committee. These reports are also communicated to the Audit Committee, as necessary. |
| Cybersecurity Risk Management Positions or Committees Responsible Report to Board [Flag] | true |