We have implemented additional security measures as part of an evolving cybersecurity posture and will continue to devote resources to address security vulnerabilities in an effort to prevent cyberattacks and mitigate the damage that could result from such an attack. All employees have recently begun receiving cybersecurity training and other education regarding their use of computers, information technology, and sensitive data including specifically how to recognize common attack strategies. As the Company does not have a physical office location, it does not have a local network or in-house servers and proprietary applications. We therefore utilize third parties applications and resources to support our information technology (“IT”) needs. All applications utilized by the Company are Software as a Service (“SaaS”) offerings. As our applications are developed and managed by third parties, we are dependent on these providers for many functions including disaster recovery during a disaster or cyber incident. Our goal is to only utilize the most secure and trusted providers for our IT needs. Our business continuity plans are evaluated against evolving security and service level standards, which includes evaluating those cybersecurity threats associated with our use of key third party service providers.

Our cybersecurity management strategy consists of utilizing a combination of employee education, preventative controls, detective controls, and periodic third-party cybersecurity testing. During fiscal year 2023 we began to deploy and utilize enterprise scale technology to support an appropriate cybersecurity posture including: endpoint detection and response, firewalls, security information and event management, email security, multifactor authentication, and vulnerability management. As part of the service offering from our outsourced IT security services provider, cybersecurity related alerts will be issued to us as relevant situations develop. These alerts will be evaluated in concert with our IT provider and in the event an alert requires action within our environment, such actions will be taken promptly. Our process and cybersecurity posture will continue to be refined based on the results of periodic cybersecurity assessments conducted jointly with our IT provider. We have recently begun reporting on cybersecurity in reports to the Board of Directors and will continue to do so.

To operate our business, we rely upon certain third-party service providers to perform a variety of functions, such as outsourced business critical functions, clinical research, professional services, SaaS platforms, managed services, cloud-based infrastructure, content delivery, encryption and authentication technology, corporate productivity services, and other functions. We are developing certain vendor management processes designed to help to manage cybersecurity risks associated with our use of certain of these providers. Depending on the nature of the services provided, the sensitivity and quantity of information processed, and the identity of the service provider, our vendor management process may include reviewing the cybersecurity practices of such provider, contractually imposing obligations on the provider related to the services they provide and/or the information they process, conducting security assessments, conducting on-site inspections, requiring their completion of written questionnaires regarding their services and data handling practices, and conducting periodic re-assessments during their engagement. For our largest third-party provider, our Contract Research Organization (“CRO”) which is helping us manage our global trial of Berubicin, we are currently conducting a security assessment and review including their cybersecurity practices, protocols and protections, handling of information protected by HIPAA, and physical security.