Risk Management and Strategy

Cybersecurity and privacy incidents in the pharmaceutical industry are growing in frequency and severity, prompting organizations to invest heavily in people, processes, and technology to bolster their cybersecurity risk management capabilities.

We assess the integrity of our information technology and cybersecurity platforms to help ensure proper safety measures are implemented. We understand the extensive responsibility associated with safeguarding our systems and data. Our processes for assessing, identifying, and managing material risks from cybersecurity threats include:

We rely upon the capacity, availability and security of our information technology hardware and software infrastructure. We maintain comprehensive compliance and security programs designed to help safeguard and ensure the integrity of the confidential information we possess, which includes both organization and technical control measures. We routinely conduct employee trainings on important information security procedures and test and measure compliance with these security measures. In addition, we maintain cyber insurance policies that mitigate the financial risk of any potential incident.

We engage consultants, auditors, and other third parties in connection with such processes. We work with third-party service providers to assist us in our cybersecurity risk management to identify areas that may potentially impact our business, develop and implement control framework to mitigate such cybersecurity risks, and to be prepared to respond to and report (as required) applicable cybersecurity incidents.

We face a number of risks including the growing threat of cybersecurity attacks. Despite our implementation of security measures to combat the threats of cybersecurity attacks, any system failure, accident or security breach could result in disruptions to our operations. To the extent that any disruption, cybersecurity attack or other security breach results in a loss or damage to our data or inappropriate disclosure of confidential information, our business could be harmed. In addition, we may be required to incur significant costs to protect against damaged caused by these disruptions or security breaches in the future.

While we have not, as of the date of this Annual Report on Form 10-K, experienced cybersecurity incidents that have materially affected us, our business strategy, our results of operations or our financial condition, there can be no

guarantee that we will not experience such an incident in the future. For additional information regarding risks from cybersecurity threats, please refer to “Item 1A. Risk Factors” of this annual report on Form 10-K.

We assess the integrity of our information technology and cybersecurity platforms to help ensure proper safety measures are implemented. We understand the extensive responsibility associated with safeguarding our systems and data. Our processes for assessing, identifying, and managing material risks from cybersecurity threats include:

We rely upon the capacity, availability and security of our information technology hardware and software infrastructure. We maintain comprehensive compliance and security programs designed to help safeguard and ensure the integrity of the confidential information we possess, which includes both organization and technical control measures. We routinely conduct employee trainings on important information security procedures and test and measure compliance with these security measures. In addition, we maintain cyber insurance policies that mitigate the financial risk of any potential incident.

We engage consultants, auditors, and other third parties in connection with such processes. We work with third-party service providers to assist us in our cybersecurity risk management to identify areas that may potentially impact our business, develop and implement control framework to mitigate such cybersecurity risks, and to be prepared to respond to and report (as required) applicable cybersecurity incidents.

We face a number of risks including the growing threat of cybersecurity attacks. Despite our implementation of security measures to combat the threats of cybersecurity attacks, any system failure, accident or security breach could result in disruptions to our operations. To the extent that any disruption, cybersecurity attack or other security breach results in a loss or damage to our data or inappropriate disclosure of confidential information, our business could be harmed. In addition, we may be required to incur significant costs to protect against damaged caused by these disruptions or security breaches in the future.

Governance

Our Corporate Governance, Healthcare Compliance Oversight, and Nominating committee oversees our cybersecurity risk management. This committee periodically reviews and assesses the risk exposure of our risks related to data privacy, technology and information security, including cyber-security, and back-up of information systems and makes recommendations to our Board of Director pertaining to monitoring and minimizing findings in such assessment. This committee periodically reports to the Board of Directors.

While the Corporate Governance, Healthcare Compliance Oversight, and Nominating committee oversees our cybersecurity risk management, our management also plays an integral role in cybersecurity oversight. Our management is responsible for day-to-day risk management processes. This includes periodic updates from the Executive Director of Information Technology who has over 24 years of work experience in the life science industry, and holds an undergraduate degree in Industrial Technology. The Executive Director of Information Technology is responsible for managing the daily measures of safeguarding the information technology infrastructure from potential threats and vulnerabilities, which includes monitoring the prevention, detection, mitigation, and remediation of cybersecurity incidents. Additionally, we have established a Crisis Management Team (CMT), which is a team of cross-functional participants who are prepared to review and assess any potential cybersecurity incidents. The CMT team is led by our CFO and our General Counsel who will advise the Corporate Governance, Healthcare Compliance Oversight, and Nominating committee of the Board accordingly in the event of any incident. We believe this division of responsibilities is the most effective approach for addressing our cybersecurity risks and that the Board leadership structure supports this approach.

Our Corporate Governance, Healthcare Compliance Oversight, and Nominating committee oversees our cybersecurity risk management. This committee periodically reviews and assesses the risk exposure of our risks related to data privacy, technology and information security, including cyber-security, and back-up of information systems and makes recommendations to our Board of Director pertaining to monitoring and minimizing findings in such assessment. This committee periodically reports to the Board of Directors.