designed to safeguard and secure our systems in an effort to prevent a data compromise; there can, however, be no assurance that these measures will be or have been effective. We have also outsourced elements of our information technology infrastructure, and as a result a number of third-party vendors have access to our sensitive data. Our information technology systems and infrastructure, and those of any future collaborators and our contractors, consultants, vendors and other third parties with whom we work, are vulnerable to and have experienced attacks, damage and interruption from cyber-attacks, malicious internet-based activity, online and offline fraud, computer viruses, malware (e.g., ransomware), credential stuffing, credential harvesting, supply-chain attacks, natural disasters, fire, terrorism, war, telecommunication and electrical failures, attacks enhanced or facilitated by AI, denial or degradation of service attacks, hacking, sophisticated nation-state and nation-state supported actors, phishing and other social engineering attacks (including through deep fakes, which are increasingly more difficult to identify), attachments to emails, fraud, personnel misconduct or error, server malfunctions, software or hardware failures, loss or theft of data or information technology assets, unauthorized access or use, and other similar threats. In particular, ransomware attacks are becoming increasingly prevalent and can lead to significant interruptions in our operations, loss of sensitive data, reputational harm, and diversion of funds. Extortion payments may alleviate the negative impact of a ransomware attack, but we may be unwilling or unable to make such payments due to, for example, applicable laws or regulations prohibiting such payments.
The risk of a security breach or disruption, particularly through cyber-attacks, including by computer hackers, foreign governments and cyber terrorists, has generally increased as the number, intensity and sophistication of attempted attacks and intrusions from around the world have increased. The prevalent use of mobile devices that access sensitive data also increases the risk of lost or stolen devices, security incidents and data security breaches, which could lead to the loss or other compromise of sensitive data. In a hybrid working environment, we also face risks of a security breach or disruption due to our reliance on internet technology and the number of our personnel who are working remotely, which creates additional opportunities for cyber criminals to exploit vulnerabilities or other weaknesses. Additionally, future or past business transactions (such as acquisitions or integrations) could expose us to additional cybersecurity risks and vulnerabilities, as our systems could be negatively affected by vulnerabilities present in acquired or integrated entities’ systems and technologies. We may discover security issues that were not found during due diligence of such acquired or integrated entities, and it may be difficult to integrate companies into our information technology environment and security program. Furthermore, because the techniques used to obtain unauthorized access to, or to sabotage, systems change frequently and often are not recognized until launched against a target, we may be unable to anticipate these techniques or implement adequate preventative measures. Security breaches may remain undetected for an extended period. Even if identified, we may be unable to adequately investigate or remediate incidents or breaches due to attackers increasingly using tools and techniques that are designed to circumvent controls, to avoid detection, and to remove or obfuscate forensic evidence.
We take steps designed to detect, mitigate, and remediate vulnerabilities in our information systems (such as our hardware and/or software, including that of third parties with whom we work). We may not, however, detect and remediate all such vulnerabilities including on a timely basis. Further, we have and may in the future experience delays in developing and deploying remedial measures and patches designed to address identified vulnerabilities.
We rely upon third-party service providers and technologies to operate critical business systems and process sensitive data in a variety of contexts, including, without limitation, third-party providers of cloud-based infrastructure, encryption and authentication technology, employee email, and other functions. Our ability to monitor these third parties’ security practices is limited, and these third parties may not have adequate security measures in place. Our third-party service providers have experienced and may experience in the future a security incident or other interruption. For example, one of our third-party drug component suppliers experienced a cyber-attack, which did not materially impact our operations. In addition, in 2024, one of our vendors experienced a cyber-attack which resulted in our access to the third-party system being unavailable to us for a brief period of time before being restored, which we concluded did not materially impact our operations or clinical data. These and similar incidents have and could lead to business interruptions and additional costs. Any significant system failure, accident or security breach and resulting interruptions in our operations or our critical third parties’ operations could result in a material disruption of our product development programs, and ultimately, our financial results. For example, the loss of clinical trial data from completed or ongoing or planned clinical trials could result in delays in our regulatory approval efforts and significantly increase our costs to recover or reproduce the data. While we may be entitled to damages if our third-party service providers fail to satisfy their privacy or security-related obligations to us, any award may be insufficient to cover our damages, or we may be unable to recover such award.
We may expend significant resources or modify our business activities (including our clinical trial activities) to try to protect against security incidents. The costs to us to prevent, investigate, mitigate and remediate security incidents, breaches, disruptions, network security problems, bugs, viruses, worms, malicious software programs and security vulnerabilities could be significant, and while we have implemented security measures designed to protect our data security and information technology systems and sensitive data, our efforts to address these problems may not be successful, and these problems have and may in the future result in unexpected interruptions, delays, cessation of service, negative publicity and other harm to our business and our competitive position. Any security compromise affecting us or the third parties with whom we work, or our industry, whether real or perceived, could harm our reputation, erode confidence in the effectiveness of our security measures and lead to regulatory scrutiny. Moreover, if a security breach affects our