We implement and maintain various information security processes designed to identify, assess and manage material risks from cybersecurity threats to our critical computer networks, third party hosted services, communications systems, hardware and software, products and our critical data (including intellectual property and confidential information that is proprietary, strategic or competitive in nature, and clinical trial data) (collectively, Information Systems and Data).

Our Vice President of Finance and other relevant personnel help identify, assess and manage our cybersecurity threats and risks. To monitor and evaluate our threat environment, we use various methods, including reliance upon our service providers, designed to accomplish this task including, for example: manual tools, automated tools, analyzing reports of threats and threat actors, conducting scans of the threat environment, evaluating our and our industry’s risk profile, evaluating threats reported to us, conducting audits, conducting third-party threat assessments, and using external intelligence feeds.

Depending on the relevant information systems environment, we implement and maintain technical and organizational measures, processes, standards and policies, including reliance upon our service providers, designed to manage and mitigate material risks from cybersecurity threats to our Information Systems and Data, including, for example: incident detection and response measures, disaster recovery/business continuity measures, risk assessments, encryption of certain data, network security controls, data segregation, access controls, physical security, asset management (such as tracking and disposal of our information systems), systems monitoring, and cybersecurity insurance.

Our assessment and management of material risks from cybersecurity threats are integrated into our overall risk management processes. For example, our Vice President of Finance works with executive management and our service providers to prioritize our risk management processes and mitigate cybersecurity threats that are more likely to lead to a material impact on our business. Our Vice President of Finance and executive management also evaluate material risks from cybersecurity threats against our overall business objectives and report, as appropriate, to the Audit Committee.

We use third-party service providers to assist us in our efforts to identify, assess, and manage material risks from cybersecurity threats. These service providers may provide services related to: cybersecurity practices, cybersecurity software (such as through managed cybersecurity providers), dark web monitoring, and professional services (including legal counsel).

We use third-party service providers to perform a variety of functions throughout our business, such as application providers, hosting companies, contract research organizations, and contract manufacturing organizations. We manage cybersecurity risks associated with our use of these providers. Depending on the nature of the services provided, the sensitivity of the Information Systems and Data at issue, and the identity of the provider, our vendor management process may involve different levels of assessment (such as by reviewing certain vendors’ cybersecurity controls) designed to help identify, mitigate and manage cybersecurity risks associated with a particular provider.

For a description of the risks from cybersecurity threats that may materially affect us and how they may do so, see our risk factors under Part 1. Item 1A. Risk Factors in this Annual Report on Form 10-K, including the subsection titled “If our information technology systems or those third parties with whom we work, or its data, are or were compromised, we could experience adverse consequences resulting from such compromise, including but not limited to regulatory investigations or actions; litigation; fines and penalties; disruptions of our business operations; reputational harm; loss of revenue or profits; and other adverse consequences.”

Our Board of Directors exercises oversight of our risk management process. The Board of Directors does not have a standing risk management committee, but rather administers this oversight function directly through the Board of Directors as a whole, as well as through various standing committees of the Board of Directors that address risks inherent in their respective areas of oversight. As part of its risk mitigation responsibilities, the Audit Committee is responsible for reviewing and discussing with management, as appropriate, material risks related to data privacy, technology, and information security, including our process for assessing, identifying, and managing such risks, as well as internal controls and disclosure controls and procedures relating to cybersecurity risk and mitigation of such risks.

The Vice President of Finance, Chief Executive Officer (CEO), and Chief Financial Officer (CFO) are responsible for hiring appropriate personnel, helping to integrate cybersecurity risk considerations into our overall risk management strategy, and communicating key cybersecurity priorities to relevant personnel. The Vice President of Finance, CEO, and CFO are also responsible for helping prepare for cybersecurity incidents, approving cybersecurity processes, and reviewing security assessments and other security-related reports.

Our cybersecurity incident response and vulnerability management measures are designed to escalate certain cybersecurity incidents and threats to management members, including the Vice President of Finance, CEO, and CFO, depending on the circumstances. The Vice President of Finance, CEO, and CFO, together with our service providers, would work jointly to mitigate and remediate cybersecurity incidents of which they are notified, and, as appropriate, report such incidents to the Audit Committee.

The CFO is responsible for sending reports to the Audit Committee regarding significant cybersecurity threats and risks. The Audit Committee has access to information, as appropriate, related to cybersecurity threats, risk and mitigation efforts.

Our cybersecurity incident response and vulnerability management measures are designed to escalate certain cybersecurity incidents and threats to management members, including the Vice President of Finance, CEO, and CFO, depending on the circumstances. The Vice President of Finance, CEO, and CFO, together with our service providers, would work jointly to mitigate and remediate cybersecurity incidents of which they are notified, and, as appropriate, report such incidents to the Audit Committee.

The CFO is responsible for sending reports to the Audit Committee regarding significant cybersecurity threats and risks. The Audit Committee has access to information, as appropriate, related to cybersecurity threats, risk and mitigation efforts.