others on our behalf, also collect, transmit, store and otherwise process certain data relating to individuals, including about our personnel, business partners, and others, which may be subject to applicable data protection, security and privacy laws and regulations that require adoption of minimum information security standards. The cost of compliance with applicable data protection, security and privacy laws and regulations have increased and may increase in the future.
Despite our implementation of security measures to protect the confidentiality, integrity, and availability of the systems, networks and data within our control from various threats (e.g., cyber-attacks, system breaches, malware, viruses, hacking, fraudulent use, social engineering attacks, phishing attacks, ransomware attacks, credential-stuffing attacks, denial-of-service attacks, unauthorized access, insider threats, accidental disclosures, intellectual property theft and economic espionage, exploitable vulnerabilities, defects or bugs in our or our third-party providers’ systems, natural disasters, war, terrorism, telecommunications and electrical outages, breakdowns, damage, interruptions), we have experienced and may continue to experience cyber-attacks of varying degrees from time to time. For example, in the first quarter of 2022, our Chinese subsidiary, ANP, was subject to a security incident that resulted in a temporary disruptions to some of their internal computer systems. We are currently working with ANP to improve and add additional security measures to their systems and networks. We have incurred costs to respond to the ANP incident. In addition, in the second quarter of 2020, we were subject to a security incident that resulted in a temporary disruption to some of our internal computer systems. In response to this incident, we engaged a third-party forensic expert to investigate, and determined that cyber criminals illegally obtained certain personal information of certain current and former employees. We notified affected individuals and regulators, as we deemed was required or appropriate. We have incurred cost to respond to this incident, and we expect to continue to incur cost to support our efforts to enhance our security measures. Our systems and networks and the systems and networks of third parties that support us and our services may be breached or disrupted due to these threats. The size and complexity of our systems may make them potentially vulnerable to breakdown or interruption, whether due to computer viruses or other causes, which may result in loss of data or the impairment of production and other supply chain processes, adversely affecting our business.
Techniques used to sabotage or obtain unauthorized access to systems and networks are constantly evolving and, in some instances, are not identified until or after they are launched against a target. We and our third-party providers may be unable to anticipate these techniques, discover threats and react in a timely manner, or implement adequate preventative or mitigating measures. Further, system breaches, malware, ransomware, computer hacking, and insider threats have become more prevalent. For example, companies have experienced an increase in phishing and social engineering attacks from third parties in connection with working remotely as a result of the ongoing COVID-19 pandemic. We and our third-party providers who may be operating in remote work environments may have increased security risks, due to increased use of home Wi-Fi networks and virtual private networks, as well as increased disbursement of physical machines. Also, due to political uncertainty and military actions associated with Russia’s invasion of Ukraine, we and our third-party providers are vulnerable to heightened risks of cyber threats and cyber-attacks from or affiliated with nation-state actors, including attacks that could materially disrupt our systems and operations, supply chain, and ability to produce, sell and distribute our products and services. While we implement security measures designed to reduce these risks, there is no guarantee that these measures will be adequate to safeguard all systems and networks. Any failure to maintain performance, reliability, security and availability of our systems and networks may result in accidental or unlawful destruction, damage, loss, unavailability, alteration, impairment, misuse, unauthorized disclosure of, or unauthorized access to our data, including personal information.
In addition, potential legal, regulatory, contractual, financial, operational, and reputational harm may arise from the accidental or unlawful destruction, damage, loss, unavailability, alteration, impairment, misuse, unauthorized disclosure of, or unauthorized access to our systems, networks or data, including data which is transmitted, stored or otherwise processed by us or by collaborators, third-party providers, distributors and other contractors on our behalf. For example:
| ● | The accidental or unlawful loss, unavailability or alteration of clinical trial data from completed or ongoing clinical trials for any of our product candidates could affect our ability to operate, result in delays in our development and regulatory approval efforts, and significantly increase our costs to recover or reproduce the data. |
| ● | Any security incident may require costly response and remediation efforts, trigger notification obligations under breach notification laws or contractual notification requirements, result in litigation or adverse regulatory action arising from or related to such an incident or event, damage our reputation, and result in significant additional |