Item 1B. Cybersecurity

 

Cybersecurity Risk Management and Strategy

 

We, like other companies in our industry, face several cybersecurity risks in connection with our business. Our business strategy, results of operations, and financial condition have not, to date, been affected by risks from cybersecurity threats. During the reporting period, we have not experienced any material cyber incidents, nor have we experienced a series of immaterial incidents, which would require disclosure.

 

In the ordinary course of our business, we use, store and process data including data of our employees, trial participants, partners, clients, and vendors. We have implemented a cybersecurity risk management program that is designed to identify, assess, and mitigate risks from cybersecurity threats to this data and our systems. Our cybersecurity risk management program incorporates several components, including information security program assessments, continuous monitoring of cyber risks and threats using automated tools, written incident response and disaster recovery policies and procedures, and employee training. Under the direction of our Chief Financial Officer, our cyber risk management program is led by a third-party IT consultant with more than 30 years of technology engineering experience and several advanced degrees. We also deploy endpoint detection software and device management in conjunction with other reputable cybersecurity software. Additionally, we require multifactor authentication across all systems.

 

We periodically engage third parties to conduct risk assessments and other vulnerability analyses. Lastly, our program includes cybersecurity training for all employees. The semi-annual training focuses on cyber threat awareness, including phishing.

 

Governance Related to Cybersecurity Risks

 

Under the ultimate direction of our chief executive officer (“CEO”), the Board of Directors is updated on our cybersecurity risk management program, including any critical cybersecurity risks, ongoing cybersecurity initiatives and strategies, and applicable regulatory requirements and industry standards, on an as-needed basis. The CEO also notifies the Board of any cybersecurity incidents (suspected or actual) and provides updates on the incidents as well as cybersecurity risk mitigation activities as appropriate.

 

 

Back SEC Filing Thank you for subscribing