10-K Filing Date: February 28, 2024
Risk Management and Strategy

The Company has adopted a cybersecurity risk management program that includes processes designed to identify, assess, manage, and monitor risks from cybersecurity threats. We have integrated cybersecurity risk management into our broader risk management framework to promote a company-wide culture of cybersecurity awareness and risk management. Those processes include conducting an assessment of internal and external threats to the security, confidentiality, integrity and availability of Company data and systems along with other material risks to Company operations, at least annually or whenever there are material changes to the Company’s systems or operations and responding to risks identified. The Company uses NIST cybersecurity and risk management frameworks to assess its cybersecurity controls, risks, and overall program effectiveness. As part of our risk management process, the Company also engages outside providers to conduct periodic internal and external penetration testing and security assessments. As part of our third-party risk management program, we conduct assessments of vendor cybersecurity risks, including risks associated with our cloud vendors and other third parties.
As of the date of this report, we have not experienced a cybersecurity incident that resulted in a material effect on our business strategy, results of operations, or financial condition. Despite our continuing efforts, we cannot guarantee that our cybersecurity safeguards will prevent breaches or breakdowns of our or our third-party service providers’ information technology systems, particularly in the face of continually evolving cybersecurity threats and increasingly sophisticated threat actors. For example, in 2020, several domestic and foreign security agencies announced that government actors or government-affiliated actors were specifically targeting organizations, like us, engaging in COVID-19 vaccine development and research. For more information, see Item 1A Risk Factors, “Security breaches and other disruptions to our information technology systems or those of the vendors on whom we rely could compromise our information and expose us to liability, reputational damage, or other costs.”

The cybersecurity risk management program is led by the Company’s Chief Information Officer (“CIO”) who has over 20 years of experience in information systems, cybersecurity, and data protection. The CIO reports to the Company’s Audit Committee at least annually, as well as to the Board of Directors, the Company’s Chief Executive Officer, and other members of our senior management as appropriate. These reports may feature an overall assessment of the Company’s compliance with the Company’s cybersecurity policies and include topics such as risk assessment, risk management and control decisions, service provider arrangements, test results, security incidents and responses, and recommendations for changes and updates to policies and procedures. Our program is evaluated by internal and external experts with the results of those reviews reported to senior management and the Board.