v3.26.1
Cybersecurity Risk Management and Strategy Disclosure
 12 Months Ended
Dec. 31, 2024
Cybersecurity Risk Management, Strategy, and Governance [Abstract]  
Cybersecurity Risk Management Processes for Assessing, Identifying, and Managing Threats [Text Block] Cybersecurity Risk Management and Strategy; Effect of Risk 

We face risks related to cybersecurity such as unauthorized access, cybersecurity attacks and other security incidents, including those perpetrated by hackers and unintentional disruptions to hardware and software systems, loss of data, and misappropriation of confidential information. To identify and assess material risks from cybersecurity threats, we maintain a comprehensive cybersecurity program to ensure our systems are effective and prepared for information security risks, including regular oversight of our programs for security monitoring for internal and external threats to ensure the confidentiality and integrity of our information assets. We consider risks from cybersecurity threats alongside other company risks as part of our overall risk assessment process. We employ a range of tools and services, including regular network and endpoint monitoring, audits, vulnerability assessments, penetration testing, threat modelling and tabletop exercises to inform our risk identification and assessment. As discussed in more detail under “Cybersecurity Governance” below, our board of directors provides oversight of our cybersecurity risk management and strategy processes, which are led by our Chief Executive Officer.

 

We also identify our cybersecurity threat risks by comparing our processes to standards set by the Center for Internet Security (CIS) as well as by engaging experts to attempt to infiltrate our information systems.

 

To provide for the availability of critical data and systems, maintain regulatory compliance, manage our material risks from cybersecurity threats, and protect against and respond to cybersecurity incidents, we undertake the following activities:

 

We also identify our cybersecurity threat risks by comparing our processes to standards set by the Center for Internet Security (CIS) as well as by engaging experts to attempt to infiltrate our information systems. We utilize Microsoft Security tools to facilitate our CIS assessments, ensuring alignment with industry best practices and enhancing our security posture.

  

To provide for the availability of critical data and systems, maintain regulatory compliance, manage our material risks from cybersecurity threats, and protect against and respond to cybersecurity incidents, we undertake the following activities:

 

  Monitor emerging data protection laws and implement changes to our processes designed to comply with such laws and implement the latest Center for Internet Security benchmarks to comply with up-to-date requirements using Microsoft Compliance Manager and Azure Security Center.
  Through our policies, practices, and contracts (as applicable), require employees, as well as third parties that provide services on our behalf, to treat confidential information and data with care, including using policies such as “right to know” and “right to access” with granular access to confidential information, managed via Microsoft Azure Active Directory’s Role-Based Access Control (RBAC).
  Employ technical safeguards designed to protect our information systems from cybersecurity threats, including firewalls, intrusion prevention and detection systems, anti-malware functionality, and access controls, which are evaluated and improved through vulnerability assessments and cybersecurity threat intelligence using Microsoft Defender for Endpoint and Microsoft Sentinel for active threat hunting and alerts monitoring by cybersecurity operators, threat analytics, endpoint management, and application evaluations.
  Provide regular, mandatory training for our employees and contractors regarding cybersecurity threats as a means to equip them with effective tools to address cybersecurity threats, and to communicate our evolving information security policies, standards, processes and practices.
  Conduct regular phishing email simulations for all employees and contractors with access to our email systems to enhance awareness and responsiveness to possible threats, including built-in tools for phishing campaigns and attack simulators, and usage of sandbox environments to evaluate threats.
  Conduct annual cybersecurity management and incident training for employees involved in our systems and processes that handle sensitive data.
  Run tabletop exercises to simulate responses to cybersecurity incidents and use the findings to improve our processes and technologies.
  Leverage the NIST incident handling framework to help us identify, protect, detect, respond and recover when there is an actual or potential cybersecurity incident.
  Carry information security risk insurance that provides protection against potential losses arising from a cybersecurity incident.

 

Our processes also address cybersecurity threat risks associated with our use of third-party service providers, including our suppliers and manufacturers who have access to patient and employee data or our systems. In addition, cybersecurity considerations affect the selection and oversight of our third-party service providers. We perform diligence on third parties that have access to our systems, data, or facilities that house such systems or data, and continually monitor cybersecurity threat risks identified through such diligence. Additionally, we generally require those third parties that could introduce significant cybersecurity risk to us to agree by contract to manage their cybersecurity risks in specified ways, and to agree to be subject to cybersecurity audits, which we conduct as appropriate.

 

We describe whether and how risks from identified cybersecurity threats, including as a result of any previous cybersecurity incidents, have materially affected or are reasonably likely to materially affect us, including our business strategy, results of operations, or financial condition, under the heading “We are increasingly dependent on information technology and our systems and infrastructure face certain risks, including cybersecurity and data storage risks.” Such disclosures are incorporated by reference herein.

 

In the last three fiscal years, we have not experienced any material cybersecurity incidents and the expenses we have incurred from cybersecurity incidents were immaterial. This includes penalties and settlements, of which there were none.

 
Cybersecurity Risk Management Processes Integrated [Flag] true
Cybersecurity Risk Management Processes Integrated [Text Block] To identify and assess material risks from cybersecurity threats, we maintain a comprehensive cybersecurity program to ensure our systems are effective and prepared for information security risks, including regular oversight of our programs for security monitoring for internal and external threats to ensure the confidentiality and integrity of our information assets.
Cybersecurity Risk Management Third Party Engaged [Flag] true
Cybersecurity Risk Materially Affected or Reasonably Likely to Materially Affect Registrant [Flag] false
Cybersecurity Risk Materially Affected or Reasonably Likely to Materially Affect Registrant [Text Block] We describe whether and how risks from identified cybersecurity threats, including as a result of any previous cybersecurity incidents, have materially affected or are reasonably likely to materially affect us, including our business strategy, results of operations, or financial condition, under the heading “We are increasingly dependent on information technology and our systems and infrastructure face certain risks, including cybersecurity and data storage risks.”
Cybersecurity Risk Board of Directors Oversight [Text Block] Cybersecurity is an important part of our risk management processes and an area of focus for our board of directors and management. In general, our board of directors oversees risk management activities designed and implemented by our management, and considers specific risks, including, for example, risks associated with our strategic plan, business operations, and capital structure. Our board of directors executes its oversight responsibility for risk management both directly and through delegating oversight of certain of these risks to its committees, and our board of directors has authorized our audit committee to oversee risks from cybersecurity threats. 

Our board of directors receives an annual update, and more often if required, from management of our cybersecurity threat risk management and strategy processes. These updates cover topics such as our data security posture, results from third-party assessments, progress toward pre-determined risk-mitigation-related goals, our incident response plan, and material cybersecurity threat risks or incidents and developments, as well as the steps management has taken to respond to such risks. In these sessions, our board of directors generally receives a report that includes cybersecurity details and other materials discussing current and emerging material cybersecurity threat risks, and describing our ability to mitigate those risks, as well as recent developments, evolving standards, technological developments and information security considerations arising with respect to our peers and third parties. Management also discusses such matters with our Chief Executive Officer. Our board of directors also receives prompt and timely information regarding any cybersecurity incident that meets established reporting thresholds, as well as ongoing updates regarding any such incident until it has been addressed.

 

Members of the board of directors are also encouraged to regularly engage in conversations with management on cybersecurity-related news events and discuss any updates to our cybersecurity risk management and strategy programs. Material cybersecurity threat risks are also considered during separate board meeting discussions of important matters like enterprise risk management, operational budgeting, business continuity planning, mergers and acquisitions, brand management, and other relevant matters.

 

Our cybersecurity risk management and strategy processes, which are discussed in greater detail above, are led by our Chief Executive Officer and our external cybersecurity consultants. These consultants are informed about, and monitor, the prevention, mitigation, detection, and remediation of cybersecurity incidents through their management of and participation in the cybersecurity risk management and strategy processes described above, including the operation of our incident response plan. As discussed above, these consultants report to management about cybersecurity threat risks, among other cybersecurity-related matters, at least annually.

 
Cybersecurity Risk Board Committee or Subcommittee Responsible for Oversight [Text Block] Our board of directors executes its oversight responsibility for risk management both directly and through delegating oversight of certain of these risks to its committees, and our board of directors has authorized our audit committee to oversee risks from cybersecurity threats.
Cybersecurity Risk Role of Management [Text Block] Our cybersecurity risk management and strategy processes, which are discussed in greater detail above, are led by our Chief Executive Officer and our external cybersecurity consultants.
Cybersecurity Risk Management Positions or Committees Responsible [Text Block] These consultants are informed about, and monitor, the prevention, mitigation, detection, and remediation of cybersecurity incidents through their management of and participation in the cybersecurity risk management and strategy processes described above, including the operation of our incident response plan.