Our employees and employees of our collaborators may engage in misconduct or other improper activities, including non-compliance with regulatory standards and requirements.
We and our collaborators are exposed to the risk of employee fraud or other misconduct. Misconduct by employees could include intentional failures to comply with the FDA regulations, to provide accurate information to the FDA, to comply with manufacturing standards we have established, to comply with federal and state healthcare fraud and abuse laws and regulations, to report financial information or data accurately or to disclose unauthorized activities to us. In particular, sales, marketing and business arrangements in the healthcare industry are subject to extensive laws and regulations intended to prevent fraud, kickbacks, self-dealing and other abusive practices. These laws and regulations may restrict or prohibit a wide range of pricing, discounting, marketing and promotion, sales commission, customer incentive programs and other business arrangements. Employee misconduct could also involve the improper use of individually identifiable information, including, without limitation, information obtained in the course of clinical trials, which could result in regulatory sanctions and serious harm to our reputation. We have adopted a code of business conduct and ethics, but it is not always possible to identify and deter employee misconduct, and the precautions we take to detect and prevent improper activities may not be effective in controlling unknown or unmanaged risks or losses or in protecting us from governmental investigations or other actions or lawsuits stemming from a failure to be in compliance with such laws or regulations. If any such actions are instituted against us, and we are not successful in defending ourselves or asserting our rights, or any such actions are instituted against any of our collaborators, those actions could have a significant impact on our business, including the imposition of significant fines or other sanctions and diminished royalties.
If our information technology systems or data, or those of third parties upon which we rely, are or were compromised, we could experience adverse consequences resulting from such compromise, including, but not limited to, regulatory investigations or actions; litigation; fines and penalties; a disruption of our business operations, including our clinical trials; reputational harm; loss of revenue and profits; and other adverse consequences.
In the ordinary course of our business, we and the third parties upon which we rely collect, receive, store, process, generate, use, transfer, disclose, make accessible, protect, secure, dispose of, transmit, and share (collectively, process) proprietary, confidential, and sensitive data, including personal data (such as health-related data), intellectual property, and trade secrets. We rely upon third parties (such as service providers) for our data processing–related activities. We share or receive sensitive data with or from third parties. We are increasingly dependent on information technology systems and infrastructure, including mobile technologies, to operate our business. Cyberattacks, malicious internet-based activity, and online and offline fraud are prevalent and continue to increase. These threats are becoming increasingly difficult to detect. These threats come from a variety of sources, including traditional computer “hackers,” threat actors, personnel (such as through theft or misuse), sophisticated nation states, and nation-state-supported actors. Some actors now engage and are expected to continue to engage in cyber-attacks, including without limitation nation-state actors for geopolitical reasons and in conjunction with military conflicts and defense activities. During times of war and other major conflicts, we and the third parties upon which we rely may be vulnerable to a heightened risk of these attacks, including cyber-attacks that could materially disrupt our systems and operations, supply chain, and ability to operate our clinical trials and develop our products. We and the third parties upon which we rely may be subject to a variety of evolving threats, including but not limited to social-engineering attacks (including through deep fakes, which may be increasingly more difficult to identify as fake, and phishing attacks), malicious code (such as viruses and worms), malware (including as a result of advanced persistent threat intrusions), denial-of-service attacks (such as credential stuffing), personnel misconduct or error, ransomware attacks, supply-chain attacks, software bugs, server malfunctions, software or hardware failures, loss of data or other information technology assets, adware, attacks enhanced or facilitated by artificial intelligence (AI), telecommunications failures, earthquakes, fires, floods, and other similar threats. Ransomware attacks, including those perpetrated by organized criminal threat actors, nation-states, and nation-state-supported actors, are becoming increasingly prevalent and severe and can lead to significant interruptions in our operations, loss of data and income, reputational harm, and diversion of funds. Extortion payments may alleviate the negative impact of a ransomware attack, but we may be unwilling or unable to make such payments due to, for example, applicable laws or regulations prohibiting such payments.
We rely on third parties and technologies to operate critical business systems to process sensitive information in a variety of contexts, including, without limitation, cloud-based infrastructure, data center facilities, encryption and authentication technology, employee email, content delivery to customers, and other functions. We also rely on CROs