Item IC. Cybersecurity.

Risk Management and Strategy

Identifying, assessing, and managing material cybersecurity risks is an important component of our overall risk management program. Our cybersecurity strategy is designed to prioritize detecting and responding to threats and effective management of security risks.

To implement our cybersecurity strategy, we maintain various safeguards and undertake certain cybersecurity programs to secure the data we hold, including encrypting sensitive data, utilizing a robust 24/7/365 security monitoring system, monitoring our information systems for potential vulnerabilities, conducting data security assessments of third-party service providers as part of vendor management, and providing employee testing and training, including phishing tests, general cybersecurity awareness training and business team-focused tabletop exercises.

We have also adopted an Incident Response Procedure (the IR Plan) that outlines the legal and governance processes for identifying, assessing and managing material risks to privacy and security. An incident response team and various senior members of management are responsible for carrying out the IR Plan, in conjunction with our third-party IT service provider.

We do not believe that there are currently any risks from cybersecurity threats that are reasonably likely to materially affect the Company or its business strategy, results of operations or financial condition. Risks from cybersecurity threats may, in the future, among other things, cause material disruptions to our operations, which may materially affect our results of operations and/or financial condition. For more information about these risks, see the risk factor titled “If we experience a significant disruption in our information technology systems, or breaches of data security, or become the target of a cyberattack, our business could be adversely affected” under Item 1A of this Annual Report on Form 10-K.

Governance related to Cybersecurity Risks

Our board of directors, as a whole and through its committees, has responsibility for the oversight of risk management. Our board of directors has assigned oversight of cybersecurity risk management to the Audit Committee.

Management, including the Chief Executive Officer (CEO), Chief Financial Officer (CFO) and Senior Vice President, Legal Affairs, are responsible for the day-to-day management of risks we face and are involved in implementing the IR Plan, with assistance from our third-party IT service provider (the IT Provider). Pursuant to the terms of our IR Plan, in the event of a material or potentially material cybersecurity event, senior members of management must be promptly informed of such event and oversee triage, response, and disclosure efforts. If a potential cybersecurity incident is identified, the IT Provider must promptly inform the Incident Response Team (IRT), comprised of a designated key individual from the IT Provider, our Senior Vice President, Legal Affairs and our Senior Vice President and Head of Clinical Development. The IRT must then conduct an initial triage of the event in accordance with the IR Plan and, as needed, escalate such event to the CEO and CFO to determine the appropriate course of action including determining whether the event is deemed material for the purpose of requiring disclosure on a Current Report on Form 8-K filing with the SEC.

Our Audit Committee receives periodic updates and provides feedback on from our management regarding cybersecurity matters, including any cybersecurity risks and/or any incidents and related responses, and is notified between such updates regarding significant new cybersecurity threats or incidents. The board of directors receives regular reports from the Audit Committee addressing cybersecurity as part of our overall risk management program.