Risk Management and Strategy

We have processes in place to regularly assess, manage and identify potential risks from cybersecurity threats. Our cybersecurity policies and processes are integrated into our overall risk management program. To protect our information systems from cybersecurity threats, we use various security tools and processes that are designed to help identify and investigate any security incidents in a timely manner. When any risk or threat is identified we have a designated group of individuals including representatives from our information security team, finance team, compliance teams and legal teams who are involved in the assessment of the risk based on probability and potential impact to key business systems and processes. Risks that are considered to have a high impact to our business are incorporated into our

enterprise risk management program. The tracking of these risks and the processes we have in place to address cybersecurity threats are tracked as part of our overall risk management program overseen by the Audit Committee of our board of directors.

​

We collaborate with third parties to assess the effectiveness of our cybersecurity prevention and response systems and processes. These include cybersecurity assessors, consultants, and other external cybersecurity experts to assist in the identification, verification, and validation of cybersecurity risks, as well as to support associated mitigation plans when necessary.

​

As part of our overall risk management system, we train our staff on the safeguards we have in place to mitigate cybersecurity threats and ensure employees are able to identify potential attempts to breach our security and how to report and deal with any potential threats. We have procedures in place to assess and manage potential supply chain risks posed by third-party vendors and collaborators. As part of our cybersecurity risk management program, we work with certain third-party vendors to assess their cybersecurity processes, including a process for requesting that vendors who have access to our systems and data complete cybersecurity questionnaires prior to onboarding.

​

We have not identified any cybersecurity threats that have materially affected our ability to conduct our business or our financial standing. Refer to the risk factor captioned "Our internal information technology systems, or those of our partners, third-party CROs or other contractors or consultants, may fail or suffer cybersecurity incidents, including related to data protection and privacy laws and adversely affect our business and operations" in Part I, Item 1A. "Risk Factors" for additional description of cybersecurity risks and potential related impacts on our Company.

As part of our overall risk management system, we train our staff on the safeguards we have in place to mitigate cybersecurity threats and ensure employees are able to identify potential attempts to breach our security and how to report and deal with any potential threats. We have procedures in place to assess and manage potential supply chain risks posed by third-party vendors and collaborators. As part of our cybersecurity risk management program, we work with certain third-party vendors to assess their cybersecurity processes, including a process for requesting that vendors who have access to our systems and data complete cybersecurity questionnaires prior to onboarding.

Governance

​

Our board of directors oversees our risk management process, including as it pertains to cybersecurity risks. The Audit Committee of the board oversees our risk management program on behalf of the Board of Directors, which focuses on the most significant risks. Audit Committee meetings include discussions of any specific risk areas which are significantly increasing or which are of particular concern and at least once a year a third party expert in cybersecurity works with the Audit Committee and our Information Management team to assess the processes and controls we have in place around cybersecurity

​

We have introduced corporate policies and training on these policies for all of our staff. Our Information Management team, and in particular our information security team together with the corporate compliance team are responsible for ensuring compliance with these corporate policies. Our Chief Operating Officer and Compliance Officer oversees our policies and is primarily responsible to assess and manage material risks from cybersecurity threats, with assistance from third party experts as appropriate and our legal team. Our Global VP of Information Management has overall responsibility for our day to day cybersecurity procedures. We also have a Director heading up our global security and cybersecurity team and a dedicated member of the team overseeing cybersecurity threats and activities. Together those individuals have over 20 years of combined experience of information security.