Our business and operations would suffer in the event of system failures, cyberattacks or a deficiency in our or our CDMO’s, CROs’, manufacturers’ contractors’, consultants’ or collaborators’ cybersecurity.
Despite the implementation of security measures, our internal computer systems, as well as those of third parties on which we rely, are vulnerable to damage from, among other things, computer viruses, malware, unauthorized access, natural disasters, terrorism, war telecommunication and electrical failures, system malfunctions, cyberattacks or cyber-intrusions over the Internet, attachments to emails, phishing attacks, persons inside our organization, or persons with access to systems inside our organization. The risk of a security breach or disruption, particularly through cyberattacks or cyber intrusion, including by computer hackers, foreign governments and cyber terrorists, has generally increased as the number, intensity and sophistication of attempted attacks and intrusions from around the world have increased. If such an event were to occur and cause interruptions in our operations, it could lead to the loss, destruction, alteration, prevention of access to, disclosure, dissemination of, or damage or unauthorized access to, our data (including trade secrets or other confidential information, intellectual property, proprietary business information and personal data) or data that is processed or maintained on our behalf, and cause interruptions in our operations, which could result in a material disruption of our product candidate development programs. For example, the loss of preclinical study or clinical trial data from completed, ongoing or planned trials could result in delays in our regulatory approval efforts and significantly increase our costs to recover or reproduce the data. To the extent that any disruption or security breach were to result in a loss of or damage to our data or applications, or inappropriate disclosure of personal, confidential or proprietary information, we could incur liability and the further development of our product candidates could be delayed.
In the ordinary course of our business, we collect and store sensitive data, including intellectual property, clinical trial data, proprietary business information, personal data and personally identifiable information of our clinical trial subjects and employees, in our data centers and on our networks. The secure processing, maintenance and transmission of this information is critical to our operations. Despite our security measures, we cannot ensure that our information technology and infrastructure will prevent breakdowns or breaches in our or their systems or other cybersecurity incidents that cause loss, destruction, unavailability, alteration, dissemination of, or damage or unauthorized access to, our data, including personal data, assets and other data processed or maintained on our behalf, that could have a material adverse effect upon our reputation, business, operations or financial condition. Although, to our knowledge, we have not experienced any such material security breach to date, any such breach could compromise our networks and the information stored there could be accessed, publicly disclosed, lost or stolen. Any such access, disclosure or other loss of information could result in legal claims or proceedings, liability under laws that protect the privacy of personal information, significant regulatory penalties, and such an event could disrupt our operations, damage our reputation, and cause a loss of confidence in us and our ability to conduct clinical trials, which could adversely affect our reputation and delay clinical development of our product candidates.
To the extent that any disruption or security breach were to result in a loss of or damage to our data or applications, or inappropriate disclosure of confidential or proprietary information or personal data, we could incur material legal claims and liability and damage to our reputation, and the further development of our product candidates could be delayed. Any such event could also compel us to comply with federal and state breach notification laws, and foreign law equivalents, subject us to mandatory corrective action and otherwise subject us to substantial liability under laws, rules, regulations and standards that protect the privacy and security of personal data, which could result in significant legal and financial exposure and reputational damages that could potentially have an adverse effect on our business.
Notifications and follow-up actions related to a data breach or other security incident could impact our reputation and cause us to incur significant costs, including significant legal expenses and
76