Annual and transition report of foreign private issuers [Sections 13 or 15(d)]

Cybersecurity Risk Management and Strategy Disclosure

v3.25.1
Cybersecurity Risk Management and Strategy Disclosure
12 Months Ended
Dec. 31, 2024
Cybersecurity Risk Management, Strategy, and Governance [Line Items]  
Cybersecurity Risk Management Processes for Assessing, Identifying, and Managing Threats [Text Block]
Risk Management and Strategy
 
We have developed and implemented a cybersecurity risk management program designed to protect the confidentiality, integrity, and availability of our critical systems and information. To protect our systems and information from cybersecurity threats, we use a variety of security tools and techniques, in order to prevent, detect, investigate, contain, escalate, and recover from identified vulnerabilities and security incidents.
 
Our cybersecurity risk management program is integrated into our overall Company's risk management program, and shares common methodologies and reporting channels that apply across the Company's risk management program to other risk areas. Our management team is principally responsible for facilitating our Company's risk management program, in consultation with multiple functions and reporting to the Board.
 
Our cybersecurity risk management program includes:
 
 
an Information Security Policy that articulates our information security practices and procedures to maintain confidence in our business and to protect the confidentiality, integrity, and availability of the information we handle;
 
a dedicated Cyber Security company responsible for executing on relevant internal and external requirements and identifying appropriate technical and organizational measures to deliver information security in compliance with those requirements;
 
a Cyber Security company, principally responsible for driving our cybersecurity risk assessment processes, including a formal information security risk assessment on an at least annual basis; our security controls framework and risk remediation and prioritizations; and risk awareness or education programs for employees relating to cybersecurity;
 
the use of external resources, such as assessors, consultants, and auditors, where appropriate, to assess, test, or otherwise assist with aspects of our security controls;
 
an external audit of our systems and environments, including an external penetration test, on an annual basis;
 
cybersecurity training of our incident response personnel and senior management;
 
a cybersecurity incident response plan that includes procedures for assessing, responding to, remediating, resolving, and conducting post-analysis of cybersecurity incidents;
 
a vendor assessment program designed to identify and mitigate cybersecurity risks associated with our use of third-party service providers; and
 
contractual obligations on third-party vendors to report security incidents, risk identification, or other security-related issues promptly to designated contact personnel at the Company.
 
On October 30, 2024, the Company became aware that its third-party IT services provider was subject to a cybersecurity attack by an Iranian threat actor group and that as a result the Group was also exposed due to such an attack. The Company's immediate investigation, conducted in collaboration with both the affected IT service provider and the Company's cybersecurity service provider (who also serve as the Company's Chief Information Security Officer), determined that the source of potential unauthorized access was limited to an external system managed by another third-party service provider.
 
Upon discovery of this incident, the Company promptly implemented its incident response protocol, including: (1) initiating a comprehensive forensic investigation; (2) disconnecting and securing the affected third-party system; (3) engaging external forensic IT specialists to evaluate the nature and scope of the attack; and (4) notifying the relevant regulatory authority regarding the limited exposure of certain employee information (both current and former).
 
Based on the investigation's findings, the Company confirms that: (i) no unauthorized parties gained access to the Company's internal systems; (ii) no patient data was compromised; (iii) no sensitive information was disclosed; and (iv) the Company's internal network remains free of malicious actors.
 
The Company concluded that this cybersecurity incident has not materially affected, and is not reasonably likely to materially affect, the Company's business strategy, results of operations, or financial condition. The Company continues to enhance its cybersecurity protocols and third-party risk management framework to mitigate potential future threats.
 
Additionally, we have not identified risks from any other known cybersecurity threats, including as a result of any prior cybersecurity incidents, that have materially affected or are reasonably likely to materially affect us, including our operations, business strategy, results of operations, or financial condition.
Cybersecurity Risk Management Processes Integrated [Flag] true
Cybersecurity Risk Management Processes Integrated [Text Block]
We have developed and implemented a cybersecurity risk management program designed to protect the confidentiality, integrity, and availability of our critical systems and information. To protect our systems and information from cybersecurity threats, we use a variety of security tools and techniques, in order to prevent, detect, investigate, contain, escalate, and recover from identified vulnerabilities and security incidents.
Cybersecurity Risk Third Party Oversight and Identification Processes [Flag] true
Cybersecurity Risk Materially Affected or Reasonably Likely to Materially Affect Registrant [Flag] true
Cybersecurity Risk Materially Affected or Reasonably Likely to Materially Affect Registrant [Text Block]
The Company concluded that this cybersecurity incident has not materially affected, and is not reasonably likely to materially affect, the Company's business strategy, results of operations, or financial condition. The Company continues to enhance its cybersecurity protocols and third-party risk management framework to mitigate potential future threats.
 
Additionally, we have not identified risks from any other known cybersecurity threats, including as a result of any prior cybersecurity incidents, that have materially affected or are reasonably likely to materially affect us, including our operations, business strategy, results of operations, or financial condition.
Cybersecurity Risk Board of Directors Oversight [Text Block]
Governance
 
Our Board considers cybersecurity risk as part of its risk oversight function and has delegated to the management oversight of our cybersecurity and data protection program.
 
The Board receives annual updates from management on our cybersecurity and data protection programs, including related trends or metrics.
 
In addition to any reports from the management to the Board regarding cybersecurity, management informs and updates the Board about any significant cybersecurity incidents.
 
Our management team, together with an external company which provides professional Cyber Security Services to the Company, is responsible for assessing and managing material risks from cybersecurity threats. The team has primary responsibility for our overall cybersecurity risk management program and supervises both our internal cybersecurity personnel and our retained external cybersecurity consultants.
 
Our management team supervises efforts to prevent, detect, mitigate, and remediate cybersecurity risks and incidents through various means, which may include briefings from internal security personnel, threat intelligence and other information obtained from governmental, public, or private sources, including external consultants engaged by us.
Cybersecurity Risk Board Committee or Subcommittee Responsible for Oversight [Text Block]
Our Board considers cybersecurity risk as part of its risk oversight function and has delegated to the management oversight of our cybersecurity and data protection program.
Cybersecurity Risk Process for Informing Board Committee or Subcommittee Responsible for Oversight [Text Block]
In addition to any reports from the management to the Board regarding cybersecurity, management informs and updates the Board about any significant cybersecurity incidents.
Cybersecurity Risk Role of Management [Text Block]
Our management team, together with an external company which provides professional Cyber Security Services to the Company, is responsible for assessing and managing material risks from cybersecurity threats. The team has primary responsibility for our overall cybersecurity risk management program and supervises both our internal cybersecurity personnel and our retained external cybersecurity consultants.
 
Our management team supervises efforts to prevent, detect, mitigate, and remediate cybersecurity risks and incidents through various means, which may include briefings from internal security personnel, threat intelligence and other information obtained from governmental, public, or private sources, including external consultants engaged by us.
Cybersecurity Risk Management Positions or Committees Responsible [Flag] true
Cybersecurity Risk Management Positions or Committees Responsible [Text Block]
Our management team, together with an external company which provides professional Cyber Security Services to the Company, is responsible for assessing and managing material risks from cybersecurity threats. The team has primary responsibility for our overall cybersecurity risk management program and supervises both our internal cybersecurity personnel and our retained external cybersecurity consultants.
Cybersecurity Risk Process for Informing Management or Committees Responsible [Text Block]
The Board receives annual updates from management on our cybersecurity and data protection programs, including related trends or metrics.
Cybersecurity Risk Management Positions or Committees Responsible Report to Board [Flag] true