We are subject to export control and import laws and regulations, including the U.S. Export Administration Regulations, U.S. Customs regulations, various economic and trade sanctions regulations administered by the U.S. Treasury Department’s Office of Foreign Assets Controls, the U.S. Foreign Corrupt Practices Act of 1977, as amended, the U.S. domestic bribery statute contained in 18 U.S.C. § 201, the U.S. Travel Act, the USA PATRIOT Act, and other state and national anti-bribery and anti-money laundering laws in the countries in which we conduct activities. Anti-corruption laws are interpreted broadly and prohibit companies and their employees, agents, contractors and other collaborators from authorizing, promising, offering or providing, directly or indirectly, improper payments or anything else of value to recipients in the public or private sector. We may engage third parties to sell our products outside the United States, to conduct clinical trials and/or to obtain necessary permits, licenses, patent registrations and other regulatory approvals. We have direct or indirect interactions with officials and employees of government agencies or government-affiliated hospitals, universities and other organizations. We can be held liable for the corrupt or other illegal activities of our employees, agents, contractors and other collaborators, even if we do not explicitly authorize or have actual knowledge of such activities. Any violations of the laws and regulations described above may result in substantial civil and criminal fines and penalties, imprisonment, the loss of export or import privileges, debarment, tax reassessments, breach of contract and fraud litigation, reputational harm and other consequences.
Cybersecurity risks and the failure to maintain the security, confidentiality, integrity, or availability of our information technology systems or data, and those maintained on our behalf, could lead to adverse consequences that materially adversely affect our business, including, without limitation, regulatory investigations or actions, a material interruption to our operations, including clinical trials, damage to our reputation and/or subject us to costs, loss of customers or sales, fines and penalties or lawsuits.
We collect and maintain information in digital and other forms that is necessary to conduct our business, and we are increasingly dependent on information technology systems and infrastructure to operate our business. In the ordinary course of our business, we and the third parties with whom we work process sensitive data. We have established physical, electronic and organizational measures designed to safeguard and secure our systems in an effort to prevent a data compromise; there can, however, be no assurance that these measures will be or have been effective. We have also outsourced elements of our information technology infrastructure, and as a result a number of third-party vendors have access to our sensitive data. Our information technology systems and infrastructure, and those of any future collaborators and our contractors, consultants, vendors and other third parties with whom we work, are vulnerable to and have experienced attacks, damage and interruption from cyber-attacks, malicious internet-based activity, online and offline fraud, computer viruses, malware (e.g., ransomware), credential stuffing, credential harvesting, supply-chain attacks, natural disasters, fire, terrorism, war, telecommunication and electrical failures, attacks enhanced or facilitated by AI, denial or degradation of service attacks, hacking, sophisticated nation-state and nation-state supported actors, phishing and other social engineering attacks (including through deep fakes, which are increasingly more difficult to identify), attachments to emails, fraud, personnel misconduct or error, server malfunctions, software or hardware failures, loss or theft of data or information technology assets, unauthorized access or use, and other similar threats. In particular, ransomware attacks are becoming increasingly prevalent and can lead to significant interruptions in our operations, loss of sensitive data, reputational harm, and diversion of funds. Extortion payments may alleviate the negative impact of a ransomware attack, but we may be unwilling or unable to make such payments due to, for example, applicable laws or regulations prohibiting such payments.
The risk of a security breach or disruption, particularly through cyber-attacks, including by computer hackers, foreign governments and cyber terrorists, has generally increased as the number, intensity and sophistication of attempted attacks and intrusions from around the world have increased. The prevalent use of mobile devices that access sensitive data also increases the risk of lost or stolen devices, security incidents and data security breaches, which could lead to the loss or other compromise of sensitive data. In a hybrid working environment, we also face risks of a security breach or disruption due to our reliance on internet technology and the number of our personnel who are working remotely, which creates additional opportunities for cyber criminals to exploit vulnerabilities or other weaknesses. Additionally, future or past business transactions (such as acquisitions or integrations) could expose us to additional cybersecurity risks and vulnerabilities, as our systems could be negatively affected by vulnerabilities present in acquired or integrated entities’ systems and technologies. We may discover security issues that were not found during due diligence of such acquired or integrated entities, and it may be difficult to integrate companies into our information technology environment and security program. Furthermore, because the techniques used to obtain unauthorized access to, or to sabotage, systems change frequently and often are not recognized until launched against a target, we may be unable to anticipate these techniques or implement adequate preventative measures. Security breaches may remain undetected for an extended period. Even if identified, we may be unable to adequately investigate or remediate incidents or breaches due to attackers increasingly using tools and techniques that are designed to circumvent controls, to avoid detection, and to remove or obfuscate forensic evidence.
We take steps designed to detect, mitigate, and remediate vulnerabilities in our information systems (such as our hardware and/or software, including that of third parties with whom we work). We have not and may not in the future, however, detect and remediate all such vulnerabilities including on a timely basis. Further, we have and may in the future experience delays in developing and deploying remedial measures and patches designed to address identified vulnerabilities.