would result in significant costs of compliance if final rules that are similar to the proposed rules are approved in the future. Our management and other personnel will need to devote a substantial amount of time to these compliance initiatives. Moreover, these rules and regulations will increase our legal and financial compliance costs and will make some activities more time consuming and costly. For example, we expect these rules and regulations to make it more difficult and more expensive for us to obtain director and officer liability insurance and we may be required to incur substantial costs to maintain our current levels of such coverage.
Our information technology systems, or those used by our third-party CROs or other contractors or consultants, may fail or suffer security breaches and geopolitical tensions or conflicts, such as the ongoing war in Ukraine, may create a heightened risk of cyberattacks.
Despite the implementation of security measures, our internal computer, server, and other information technology systems as well as those of our third-party collaborators, consultants, contractors, suppliers, and service providers, may be vulnerable to damage from physical or electronic break-ins, computer viruses, “phishing” attacks, malware, ransomware, denial of service and other cyber-attacks or disruptive incidents that could result in unauthorized access to, use or disclosure of, corruption of, or loss of sensitive, and/ or proprietary data, including health-related information or other personal information, and could subject us to significant liabilities and regulatory and enforcement actions, and reputational damage. In addition, geopolitical tensions or conflicts, such as Russia’s invasion of Ukraine, may create a heightened risk of cyberattacks. We have also outsourced elements of our information technology infrastructure, and as a result a number of third-party vendors may or could have access to our confidential information. If we or any of our third-party collaborators or service providers were to experience any material failure or security breach, it could result in a material disruption of our development programs, reputation, and business operations. For example, the loss of clinical study data from completed or ongoing clinical studies could result in delays in any regulatory approval or clearance efforts and significantly increase our costs to recover or reproduce the data, and subsequently commercialize the product.
We and certain of our service providers are from time to time subject to cyberattacks and security incidents. While we do not believe that we have experienced any significant system failure, accident or security breach to date, if we or our third-party collaborators, consultants, contractors, suppliers, or service providers were to suffer an attack or breach, for example, that resulted in the unauthorized access to or use or disclosure of personal information, including health-related information, we may have to notify individuals, collaborators, government authorities, and the media, and may be subject to investigations, civil penalties, administrative and enforcement actions, and litigation, any of which could harm our business and reputation. Likewise, we rely on our third-party CROs and other third parties to conduct clinical studies, and similar events relating to their computer systems could also have a material adverse effect on our business.
Attacks upon information technology systems are increasing in their frequency, levels of persistence, sophistication and intensity, and are being conducted by sophisticated and organized groups and individuals with a wide range of motives and expertise. Further, the COVID-19 pandemic is generally increasing the attack surface available to criminals, as more companies and individuals work online and work remotely, and as such, the risk of a cybersecurity incident potentially occurring, and our investment in risk mitigations against such an incident, is increasing. For example, there has been an increase in phishing and spam emails as well as social engineering attempts from “hackers” hoping to use the recent COVID-19 pandemic to their advantage. Because the techniques used to obtain unauthorized access to, or to sabotage, systems change frequently and often are not recognized until launched against a target, we may be unable to anticipate these techniques or implement adequate preventative measures. We may also experience security breaches that may remain undetected for an extended period. Even if identified, we may be unable to adequately investigate or remediate incidents or breaches due to attackers increasingly using tools and techniques that are designed to circumvent controls, to avoid detection, and to remove or obfuscate forensic evidence.
To the extent that any disruption or security breach were to result in a loss of, or damage to, our data or systems, or inappropriate or unauthorized access to or disclosure or use of confidential, proprietary, or other sensitive, personal information, including health-related information, we could incur liability and suffer reputational harm, and the development and commercialization of our products could be delayed. Federal, state and international laws and regulations can expose us to enforcement actions and investigations by regulatory authorities, and potentially result in regulatory penalties, fines and significant legal liability, if our information technology security efforts fail. We may also be exposed to a risk of loss or litigation and potential liability, which could materially and adversely affect our business, results of operations or financial condition. Our insurance policies may not be adequate to compensate us for the potential losses arising from such disruptions, failure, or security breach. In addition, such insurance may not be available to us in the future on economically reasonable terms, or at all. Further, our insurance may not cover all claims made against us and defending a suit, regardless of its merit, could be costly, divert management attention, and harm our reputation.
We face the significant risks associated with our recent company-wide implementation of an ERP system that may adversely affect our business and results of operations or the effectiveness of our internal controls over financial reporting.
