Cybersecurity Risk Management and Strategy

We recognize the importance of assessing, identifying, and managing material risks associated with cybersecurity threats, as such term is defined in Item 106(a) of Regulation S-K. These risks include, among other things: operational risks, intellectual property theft, fraud, extortion, harm to employees or customers and violation of data privacy or security laws as well as overall business continuation risk.

Identifying and assessing cybersecurity risk is integrated into our overall risk management systems and processes. Cybersecurity risks related to our business, operations, privacy and compliance issues are identified and addressed through a multi-faceted approach. To defend, detect and respond to cybersecurity incidents, we, among other things: conduct proactive privacy and cybersecurity reviews of systems and applications, conduct employee training, monitor emerging laws and regulations related to data protection and information security and implement appropriate changes. We also engage third-party cybersecurity consultants to help us oversee cybersecurity threats both internally and in relation to our third-party service providers, including in connection with the foregoing activities. Our third-party cybersecurity consultants work to mitigate cybersecurity risks by executing all-inclusive security procedures, including but not limited to continuous employee education and training, assessing risks, monitoring systems, implementing security controls, and responding to incidents. This is done in a variety of manners including assessing the strength of outside vendors, suppliers and business partners that may have access to the Company’s data and systems, setting up strong access controls in the form of firewalls and encryption, continuous monitoring of data for suspicious activity and other threats, security audits and extensive training.

We have implemented a cybersecurity risk management program that leverages the National Institute of Standards and Technology (“NIST”) framework, which organizes cybersecurity risks into five categories: identify, protect, detect, respond and recover. We regularly assess the threat landscape and take a holistic view of cybersecurity risks, with a layered cybersecurity strategy based on prevention, detection and mitigation.

Security events and data incidents are evaluated, ranked by severity and prioritized for response and remediation. Our cybersecurity team collaborates with stakeholders across our business units to further analyze the risk to the company, and form detection, mitigation and remediation strategies. Our risk management program also assesses third-party cybersecurity risks and we perform third-party risk management to identify and mitigate risks from third parties such as vendors, suppliers, and other business partners associated with our use of third-party service providers.

Identifying and assessing cybersecurity risk is integrated into our overall risk management systems and processes. Cybersecurity risks related to our business, operations, privacy and compliance issues are identified and addressed through a multi-faceted approach. To defend, detect and respond to cybersecurity incidents, we, among other things: conduct proactive privacy and cybersecurity reviews of systems and applications, conduct employee training, monitor emerging laws and regulations related to data protection and information security and implement appropriate changes. We also engage third-party cybersecurity consultants to help us oversee cybersecurity threats both internally and in relation to our third-party service providers, including in connection with the foregoing activities. Our third-party cybersecurity consultants work to mitigate cybersecurity risks by executing all-inclusive security procedures, including but not limited to continuous employee education and training, assessing risks, monitoring systems, implementing security controls, and responding to incidents. This is done in a variety of manners including assessing the strength of outside vendors, suppliers and business partners that may have access to the Company’s data and systems, setting up strong access controls in the form of firewalls and encryption, continuous monitoring of data for suspicious activity and other threats, security audits and extensive training.

Cybersecurity Governance

Cybersecurity is an important part of our risk management processes and an area of focus for our management. Our Chief Financial Officer (“CFO”) oversees the leaders from our information security, compliance and legal teams who are responsible for our cybersecurity risk management and strategy processes. Our CFO, together with these individuals, also oversee the work of our third-party consultants. These individuals have significant prior business experience in compliance and risk management. Specifically, our CFO has more than 25 years of experience in all aspects of corporate controllership including managing operating and organizational risk developing, executing and maintaining robust internal control environments, including cybersecurity risk and cash controls as part of several pharmaceutical company operations. Our CFO, as well as our management team, are informed about, and monitor the prevention, mitigation, detection and remediation of cybersecurity incidents through their management of, and participation in, the cybersecurity risk management and strategy processes described above, including the operation of our incident response plan, and report to our audit committee and overall board of directors on any appropriate items.

Our executive management is responsible for the oversight of risks from cybersecurity threats. Members of our board of directors receive periodic updates from our executive management team regarding matters of cybersecurity. This includes existing and new cybersecurity risks, status on how management is addressing and/or mitigating those risks, cybersecurity and data privacy incidents (if any) and status on key information security initiatives. Any urgent cybersecurity threats are immediately flagged and reported to the board of directors.