We may be unable to adequately protect our information systems from cyberattacks, which could result in the disclosure of confidential or proprietary information, including personal data, damage our reputation, and subject us to significant financial and legal exposure.
We rely on information technology systems that we or our third-party providers operate to process, transmit and store electronic information in our day-to-day operations. In connection with our product discovery efforts, we may collect and use a variety of personal data, such as name, mailing address, email addresses, phone number and clinical trial information. A successful cyberattack could result in the theft or destruction of intellectual property, data or other misappropriation of assets, or otherwise compromise our confidential or proprietary information and disrupt our operations. Cyberattacks are increasing in their frequency, sophistication and intensity, and have become increasingly difficult to detect. Cyberattacks could include wrongful conduct by hostile foreign governments, industrial espionage, wire fraud and other forms of cyber fraud, the deployment of harmful malware, denial-of-service, social engineering fraud or other means to threaten data security, confidentiality, integrity and availability. A successful cyberattack could cause serious negative consequences for us, including, without limitation, the disruption of operations, the misappropriation of confidential business information, including financial information, trade secrets, financial loss and the disclosure of corporate strategic plans. Although we devote resources to protect our information systems, we realize that cyberattacks are a threat, and there can be no assurance that our efforts will prevent information security breaches that would result in business, legal, financial or reputational harm to us, or would have a material adverse effect on our results of operations and financial condition. Any failure to prevent or mitigate security breaches or improper access to, use of, or disclosure of our clinical data or patients’ personal data could result in significant liability under state (e.g., state breach notification laws), federal (e.g., HIPAA, as amended by HITECH), and international law (e.g., the European Union, or EU, General Data Protection Regulation, or GDPR) and may cause a material adverse impact to our reputation, affect our ability to use collected data, conduct new studies and potentially disrupt our business.
We rely on our third-party providers to implement effective security measures and identify and correct for any such failures, deficiencies or breaches. We also rely on our employees and consultants to safeguard their security credentials and follow our policies and procedures regarding use and access of computers and other devices that may contain our sensitive information. If we or our third-party providers fail to maintain or protect our information technology systems and data integrity effectively or fail to anticipate, plan for or manage significant disruptions to our information technology systems, we or our third-party providers could have difficulty preventing, detecting and controlling such cyber-attacks and any such attacks could result in losses described above as well as disputes with physicians, patients and our partners, regulatory sanctions or penalties, increases in operating expenses, expenses or lost revenues or other adverse consequences, any of which could have a material adverse effect on our business, results of operations, financial condition, prospects and cash flows. Any failure by such third-parties to prevent or mitigate security breaches or improper access to or disclosure of such information could have similarly adverse consequences for us. If we are unable to prevent or mitigate the impact of such security or data privacy breaches, we could be exposed to litigation and governmental investigations, which could lead to a potential disruption to our business.
Like many other companies, we have on occasion experienced, and will continue to experience, threats to our data and systems and attempts to damage or steal our property, information or financial resources, including through malicious codes and viruses, phishing, business email compromise attacks, and attempted ransomware or other cyber-attacks. Whereas none of these instances has had a material impact on us so far, the number and complexity of these threats continue to increase over time. For example, in July 2021, we were subject to what we believe was a phishing attack. We do not believe this incident had a material impact on our business or financial condition. However, the number and complexity of these threats continue to increase. If a material breach of our information technology systems or those of our third-party service providers occurs, the market perception of the effectiveness of our security measures could be harmed and our reputation and credibility could be damaged. Such a material breach could also have a material adverse effect on our business, financial condition or results of operations.
We or the third-parties upon whom we depend may be adversely affected by earthquakes, other natural disasters, or political and military events, and our business continuity and disaster recovery plans may not adequately protect us from any such serious disaster.
Any unplanned or unexpected event, such as flood, fire, explosion, earthquake, extreme weather condition, medical epidemics, power shortage, telecommunication failure or other natural or man-made accidents or incidents that result in us being unable to fully utilize our facilities, or our third-party contract manufacturers being unable to operate their manufacturing facilities normally, may have a material and adverse effect on our ability to operate our business, particularly on a daily basis, and have significant negative consequences on our financial and operating conditions. Loss of or reduced access to these facilities or interruptions in the flow of
