Risk Assessment and Management

We regularly assess risks from cybersecurity threats; monitor our information systems for potential vulnerabilities; and test those systems pursuant to our cybersecurity policies, processes, and practices, which are integrated into our overall risk management program. To protect our information systems from cybersecurity threats, we use various security tools that are designed to help identify, escalate, investigate, resolve, and recover from security incidents in a timely manner.

The company has an ERM program to identify, evaluate, and manage risks. Cybersecurity risks are evaluated alongside other critical business risks under the ERM program to align cybersecurity efforts with the company’s broader business goals and objectives. We believe that integrating cybersecurity risks into our ERM program fosters a proactive and holistic approach to cybersecurity, which helps safeguard the company’s operations, financial condition, and reputation in an ever-evolving threat landscape.

The company maintain a cybersecurity program that is designed to identify, protect from, detect, respond to, and recover from cybersecurity threats and risks, and protect the confidentiality, integrity, and availability of its information systems, including the information residing on such systems. Keep in mind we are a small company with limited exposures. As such we rely on traditional bookkeeping and reconciliations to discover any cybersecurity issues.

Cybersecurity threats, including those resulting from any previous cybersecurity incidents, had not materially affected the company, including our business strategy, results of operations, or financial condition. We do not believe that cybersecurity threats resulting from any previous cybersecurity incidents of which we are aware are reasonably likely to materially affect our company. Our systems, infrastructure or data, or those used by our CROs, CMOs, clinical sites or other contractors or consultants, may or may be perceived to fail or suffer a cyberattack, security breach or other incident, including a breakdown or compromise of the confidentiality, integrity and availability of our systems, networks or data, which could adversely affect the operation of our business and reputation.

Incident Response

The company does not have a dedicated incident management team responsible for managing and coordinating its cybersecurity incident response efforts. We have limited exposure to cybersecurity risks. We are a small company.

Governance

Board Oversight Role

Our Board of Directors oversees our risk management process, including as it pertains to cybersecurity risks, directly and through its committees. The Audit Committee (the Committee) of the Board of Directors oversees our cybersecurity and data privacy. The Committee meets periodically to review and discuss with management risks relating to significant cybersecurity matters and concerns involving the company, including information security, data privacy, backup of information systems and related regulatory matters and compliance. The Committee regularly reports to the Board of Directors with respect to the Committee’s activities and recommendations, including those relating to cybersecurity matters and concerns. The company provides reports to the Committee on information security matters, including the adequacy and effectiveness of the company’s information security policies and practices and the internal controls regarding information security, and notifies the chairperson of the Committee as soon as practicable of significant information security matters and concerns as they arise on a periodic basis.

Management’s Role

The company does not have a dedicated cybersecurity organization within its technology department that focuses on current and emerging cybersecurity matters.

Use of Third Parties

Oversight of Third-Party Service Providers

The company uses third-party service providers to support its operations and many of its technology initiatives, and evaluates its third-party service providers from a cybersecurity risk perspective, which may include an assessment of that service provider’s cybersecurity posture or a recommendation of specific mitigation controls. Following such evaluation, the company determines and prioritizes service provider risk based on the potential threat impact and likelihood, and such risk determination drives the level of due diligence and ongoing compliance monitoring required for each service provider.

PART II