Risk Management and Strategy

We have established policies and processes for assessing, identifying, and managing risk from cybersecurity threats. We periodically assess risks from cybersecurity threats, including any potential unauthorized occurrence on or conducted through our information systems that may result in adverse effects on the confidentiality, integrity, or availability of our information systems or any information residing therein. Following these risk assessments, we evaluate how to reasonably address any identified gaps in existing safeguards and monitor the effectiveness of our safeguards. We devote resources and designate high-level personnel, including our Chief Business and Legal Officer, who reports to our Chief Executive Officer, to manage the risk assessment and mitigation process.

As part of our overall risk management system, we monitor and test our safeguards and train our employees on these safeguards, including our cybersecurity safeguards, in collaboration with human resources, IT, and management. Personnel at all levels and departments are made aware of our cybersecurity policies through trainings.

We engage specialized third parties in connection with our risk assessment processes. These third parties assist us in designing and implementing our cybersecurity policies and procedures, as well as in monitoring and testing our safeguards.

We also require key third-party service provider with access to our IT environment to certify on a contract-by-contract basis that they have the ability to implement and maintain appropriate security measures, consistent with all applicable laws, to implement and maintain reasonable security measures in connection with their work with us, and to promptly report any suspected breach of their security measures that may affect our company.

We have not previously experienced any cybersecurity risk or cybersecurity incident which has been determined to be material. For additional information regarding whether any risks from cybersecurity threats are reasonably likely to materially affect our company, including our business strategy, results of operations, or financial condition, please refer to Item 1A, “Risk Factors” in this Annual Report on Form 10-K, including the risk factor entitled “Our business and operations would suffer in the event of system failures, cyberattacks or a deficiency in our or our CMOs’, CROs’, manufacturers’, contractors’, consultants’ or collaborators’ cybersecurity”.

Governance

One of the key functions of our board of directors is informed oversight of our risk management process, including risks from cybersecurity threats. Our board of directors is responsible for monitoring and assessing strategic risk exposure, and our Executive Officers are responsible for the day-to-day management of the material risks we face. Our board of directors administers its cybersecurity risk oversight function directly as a whole, as well as through our audit committee.

Our Chief Business and Legal Officer and our security governance steering committee, which includes our Controller, Vice President of HR, Vice President of Program Management and Manager of IT/IS, are primarily responsible for assessing and managing our risks from cybersecurity threats. Our Chief Business and Legal Officer has more than a decade of operational experience overseeing and advising on risk management in the highly regulated biopharmaceutical industry, and leads a wide range of business functions, including IT/IS. Our Manager of IT/IS has over 20 years of experience with IT, with an emphasis on cybersecurity over the past two years. They and other members of our security governance steering committee engage in training and education relating to cybersecurity risk.

Our Chief Business and Legal Officer and our security governance steering committee oversee our cybersecurity policies and processes, including those described in “Risk Management and Strategy” above. Our Chief Business and Legal Officer and our management committee on cybersecurity are informed about and monitor the prevention, detection, mitigation, and remediation of cybersecurity incidents through their work overseeing, working with, and delegating daily operations to the IT/IS team, as well as their work developing and implementing information security policies, consistent with the IT/IS processes. These policies are reviewed at least annually with updates authorized and approved by the security governance steering committee.

Our Chief Business and Legal Officer and representatives from our security governance steering committee provide quarterly briefings to the audit committee regarding our company’s cybersecurity risks and activities, including any recent cybersecurity incidents and related responses, cybersecurity systems testing, activities of third parties, and the like. Our audit committee provides regular updates to the board of directors on such reports. In addition, our Chief Business and Legal Officer and representatives from our security governance steering committee provide annual briefings to the board of directors on cybersecurity risks and activities.