If our information technology systems, or the information technology systems of our CROs, our CMOs, service providers, our current and potential future partners or other third parties upon which we rely were compromised, we could experience adverse consequences, including but not limited to material disruptions to our business operations, regulatory investigations or actions, litigation, fines and penalties, reputational harm, loss of revenue or profits, or other adverse consequences.
We collect, store, receive, process, generate, use, transfer, disclose, make accessible, protect, secure, dispose of, share, and transmit (collectively, process) proprietary, confidential and sensitive information, including personal information (such as health-related data of clinical trial participants and employee information), in the course of our business. Similarly, third-parties upon which we rely process certain of that information on our behalf.
Cyber-attacks, malicious internet-based activity, online and offline fraud, and other similar activities threaten the confidentiality, integrity, and availability of our sensitive information and information technology systems, and those of the third parties upon which we rely. Such threats are constantly evolving and growing in frequency, sophistication, and intensity. For example, these threats may include (without limitation) malware, viruses, software vulnerabilities and bugs, software or hardware failure, hacking, denial of service attacks, social engineering (including through deep fakes, which may be increasingly more difficult to identify as fake, and phishing), ransomware, insider threats (such as theft of misuse by personnel), credential stuffing, telecommunications failures, loss or theft of devices, data or other information technology assets, attacks enhanced or facilitated by AI, earthquakes, fires, floods and similar threats. Threats such as ransomware attacks, for example, are becoming increasingly prevalent and severe, and attackers are increasingly leveraging multiple attack methods to extort payment from victims, such as data theft and disabling systems and can lead to significant interruptions in our operations, loss of sensitive data and income, reputational harm, and diversion of funds. Extortion payments may alleviate the negative impact of a ransomware attack, but we may be unwilling or unable to make such payments due to, for example, applicable laws or regulations prohibiting such payments.
Security incidents may result from the actions of a wide variety of actors with a wide range of motives and expertise, including traditional hackers, our personnel or the personnel of the third parties upon which we rely, organized criminal threat actors, hacktivists, sophisticated nation-states and nation-state-supported actors. During times of war and other major conflicts, we, the third parties upon which we rely, and our customers may be vulnerable to a heightened risk of these attacks, including retaliatory cyber- attacks, that could materially disrupt our systems and operations, supply chain, and ability to produce, sell and distribute our goods and services.
Future or past business transactions (such as acquisitions or integrations) could expose us to additional cybersecurity risks and vulnerabilities, as our systems could be negatively affected by vulnerabilities present in acquired or integrated entities’ systems and technologies. Furthermore, we may discover security issues that were not found during due diligence of such acquired or integrated entities, and it may be difficult to integrate companies into our information technology environment and security program.
In addition, our reliance on third-party service providers could introduce new cybersecurity risks and vulnerabilities, and other threats to its business operations. For example, we rely on third parties to operate critical business systems and process sensitive data in a variety of contexts, including, without limitation, cloud-based infrastructure, data center facilities, encryption and authentication technology, personnel email, and other functions. We also rely on third parties, including CROs, clinical trial sites and clinical trial vendors, to collect, store, and transmit sensitive data as part of its research activities. Our ability to monitor these third parties is limited, and these third parties may not have adequate information security measures in place. If our third-party service providers experience a security incident or other interruption, we could experience adverse consequences. While we may be entitled to damages if its third-party service providers fail to satisfy their privacy or security-related obligations to us, any award may be insufficient to cover damages, or we may be unable to recover such awards. Supply-chain attacks have also increased in frequency and severity, and we cannot guarantee that third parties’ infrastructure in our supply chain or our third-party partners’ supply chains have not been compromised.
55