34 | U N I V E R S A L R E G I S T R A T I O N D O C U M E N T 2 0 23
a variety of evolving threats, including but not limited to ransomware attacks, which could cause security
incidents. Cyber-attacks, malicious internet-based activity, online and offline fraud, and other similar activities
threaten the confidentiality, integrity, and availability of its sensitive data and information technology systems,
and those of the third parties upon which the Company relies. Such threats are prevalent and continue to rise,
are increasingly difficult to detect, and come from a variety of sources, including traditional computer
“hackers,” threat actors, “hacktivists,” organized criminal threat actors, personnel (such as through theft or
misuse), sophisticated nation states, and nation-state-supported actors.
Some actors now engage and are expected to continue to engage in cyber-attacks, including without limitation
nation-state actors for geopolitical reasons and in conjunction with military conflicts and defense activities.
During times of war and other major conflicts, the Company and the third parties upon which the Company
relies may be vulnerable to a heightened risk of these attacks, including retaliatory cyber-attacks, that could
materially disrupt its systems and operations, supply chain, and ability to produce, sell and distribute its
services.
The Company and the third parties upon which the Company relies may be subject to a variety of evolving
threats, including but not limited to social-engineering attacks (including through phishing attacks), malicious
code (such as viruses and worms), malware (including as a result of advanced persistent threat intrusions),
denial-of-service attacks (such as credential stuffing), credential harvesting, personnel misconduct or error,
ransomware attacks, supply-chain attacks, software bugs, server malfunctions, software or hardware failures,
loss of data or other information technology assets, adware, telecommunications failures, earthquakes, fires,
floods, and other similar threats.
In particular, severe ransomware attacks are becoming increasingly prevalent and can lead to significant
interruptions in its operations, loss of sensitive data and income, reputational harm, and diversion of funds.
Extortion payments may alleviate the negative impact of a ransomware attack, but the Company may be
unwilling or unable to make such payments due to, for example, applicable laws or regulations prohibiting
such payments.
Remote work has become more common and has increased risks to the Company’s information technology
systems and data, as more of its employees utilize network connections, computers, and devices outside its
premises or network, including working at home, while in transit and in public locations. Additionally, future
or past business transactions (such as acquisitions or integrations) could expose the Company to additional
cybersecurity risks and vulnerabilities, as its systems could be negatively affected by vulnerabilities present in
acquired or integrated entities’ systems and technologies.
In addition, the Company’s reliance on third-party service providers could introduce new cybersecurity risks
and vulnerabilities, including supply-chain attacks, and other threats to the Company’s business operations.
The Company may rely on third-party service providers and technologies to operate critical business systems
to process sensitive data in a variety of contexts, including, without limitation, cloud-based infrastructure, data
center facilities, employee email, and other functions. The Company may also rely on third-party service
providers to provide other products, services, parts, or otherwise to operate its business. The Company ability
to monitor these third parties’ information security practices is limited, and these third parties may not have
adequate information security measures in place. If the Company’s third-party service providers experience a
security incident or other interruption, the Company could experience adverse consequences. While the
Company may be entitled to damages if the Company’s third-party service providers fail to satisfy their privacy
or security-related obligations to the Company, any award may be insufficient to cover its damages, or the
Company may be unable to recover such award. In addition, supply-chain attacks have increased in frequency
and severity, and the Company cannot guarantee that third parties’ infrastructure in its supply chain or its
third-party partners’ supply chains have not been compromised. One of its CROs has experienced a data
breach that involved personal data being compromised, affecting all the CRO’s customers.
Any of the previously identified or similar threats could cause a security incident or other interruption that
could result in unauthorized, unlawful, or accidental acquisition, modification, destruction, loss, alteration,
encryption, disclosure of, or access to its sensitive data or its information technology systems, or those of the
third parties upon whom the Company relies. A security incident or other interruption could disrupt the
Company’s ability (and that of third parties upon whom the Company relies) to provide its services.
The Company may expend significant resources or modify its business activities to try to protect against
security incidents. Additionally, certain data privacy and security obligations may require the Company to