Counterfeit versions of our products could harm our patients and reputation.
Our industry has been increasingly challenged by the vulnerability of distribution channels to illegal counterfeiting and the presence of counterfeit products in a growing number of markets and over the Internet. Counterfeit products are frequently unsafe or ineffective, and can be potentially life-threatening. To distributors and patients, counterfeit products may be visually indistinguishable from the authentic version. Reports of adverse reactions to counterfeit drugs or increased levels of counterfeiting could materially affect patient confidence in the authentic product, and harm the business of companies such as ours. Additionally, it is possible that adverse events caused by unsafe counterfeit products would mistakenly be attributed to the authentic product. If a product of ours was the subject of counterfeits, we could incur substantial reputational and financial harm in the longer term.
Our business and operations have been impacted in the past, and may be impacted in the future, in the event of system breach or failure.
We, our collaborators, third-party providers, distributors, customers and other contractors utilize information technology systems and networks to transmit, store and otherwise process electronic data in connection with our business activities, including our supply chain processes, operations and communications including, in some cases, our clinical data and business proprietary information, and Electronic Data Interchange, or EDI, on purchase orders, invoices, chargebacks, among other things. We, and our collaborators, third-party providers, distributors and other contractors, also collect, transmit, store and otherwise process certain data relating to individuals, including about our personnel, business partners, and others, which may be subject to applicable data protection, security and privacy laws and regulations that require adoption of minimum information security standards. The cost of compliance with applicable data protection, security and privacy laws and regulations have increased and may increase in the future.
Despite our implementation of security measures to protect the confidentiality, integrity, and availability of the systems, networks and data within our control from various threats (e.g., cyber-attacks, system breaches, malware, viruses, hacking, fraudulent use, social engineering attacks, phishing attacks, ransomware attacks, credential-stuffing attacks, denial-of-service attacks, unauthorized access, insider threats, accidental disclosures, intellectual property theft and economic espionage, exploitable vulnerabilities, defects or bugs in our or our third-party providers’ systems, natural disasters, war, terrorism, telecommunications and electrical outages, breakdowns, damage, interruptions), we have experienced and may continue to experience cyber-attacks of varying degrees from time to time. For example, in the first quarter of 2022, our Chinese subsidiary, ANP, was subject to a security incident that resulted in a temporary disruption to some of their internal computer systems. We worked with ANP to improve and implement additional security measures to their systems and networks. We have incurred costs to respond to the ANP incident. In addition, in the second quarter of 2020, we were subject to a security incident that resulted in a temporary disruption to some of our internal computer systems. In response to this incident, we engaged a third-party forensic expert to investigate, and determined that cyber criminals illegally obtained certain personal information of certain current and former employees. We notified affected individuals and regulators, as we deemed was required or appropriate. We have incurred cost to respond to this incident, and we expect to continue to incur cost to support our efforts to enhance our security measures. Our systems and networks and the systems and networks of third parties that support us and our services may be breached or disrupted due to these threats. The size and complexity of our systems may make them potentially vulnerable to breakdown or interruption, whether due to computer viruses or other causes, which may result in loss of data or the impairment of production and other supply chain processes, adversely affecting our business.
Techniques used to sabotage or obtain unauthorized access to systems and networks are constantly evolving and, in some instances, are not identified until or after they are launched against a target. We and our third-party providers may be unable to anticipate these techniques, discover threats and react in a timely manner, or implement adequate preventative or mitigating measures. Further, system breaches, malware, ransomware, computer hacking, and insider threats have become more prevalent. For example, companies have experienced an increase in phishing and social engineering attacks from third parties in connection with working remotely as a result of the ongoing COVID-19 pandemic. We and our third-party providers who may be operating in remote work environments may have increased security risks, due to increased use of home Wi-Fi networks and virtual private networks, as well as increased disbursement of physical machines. Also, due to political uncertainty and military actions associated with Russia’s invasion of Ukraine, we and our third-party providers are vulnerable to heightened risks of cyber threats and cyber-attacks from or affiliated with nation-state actors, including attacks that could materially disrupt our systems and operations, supply chain, and ability to produce, sell and distribute our products and services. While we implement security measures designed to reduce these risks, there is no guarantee that these measures will be adequate to safeguard all systems and networks. Any failure to maintain performance, reliability, security and availability of our systems and networks may result in accidental or