enGene Holdings Inc. 10-K Cybersecurity GRC - 2024-01-29

Page last updated on April 11, 2024

enGene Holdings Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-01-29 07:17:47 EST.

Filings

10-K filed on 2024-01-29

enGene Holdings Inc. filed an 10-K at 2024-01-29 07:17:47 EST
Accession Number: 0000950170-24-008125

Item 1C. Cybersecurity.

Not applicable.

Item 1A. Risk Factors.

Cyber-attacks or other failures in our or our third-party vendors’, contractors’ or consultants’ telecommunications or information technology systems could result in information theft, data corruption and significant disruption of our business operations.

We, our programs, our CROs, third-party logistics providers, distributors and other contractors and consultants utilize information technology (“IT”), systems and networks to process, transmit and store electronic information, including but not limited to intellectual property, proprietary business information and personal information, in connection with our business activities. Our internal IT systems and those of current and future third parties on which we rely may fail and are vulnerable to breakdown, breach, interruption or damage from cyber incidents, employee error or malfeasance, theft or misuse, sophisticated nation-state and nation-state- supported actors, unauthorized access, natural disasters, terrorism, war, telecommunication and electrical failures or other compromises. As use of digital technologies has increased, cyber incidents, including third parties gaining access to employee accounts using stolen or inferred credentials, computer malware (e.g., ransomware), viruses, spamming, phishing attacks, denial-of-service attacks or other means, and deliberate attacks and attempts to gain unauthorized access to computer systems and networks, have increased in frequency, intensity, and sophistication. These threats pose a risk to the security of our, our programs’, our CROs’, third-party logistics providers’, distributors’ and other contractors’ and consultants’ systems and networks, and the confidentiality, availability and integrity of our intellectual property, confidential information, preclinical and clinical trial data, proprietary business information, personal data, and health-related information. There can be no assurance that we or any of our third-party partners will be successful in preventing cyberattacks or successfully mitigating their effects.

Advances in computer and software capabilities, encryption technology, and other discoveries increase the complexity of our technological environment, including how each interacts with our various software platforms. Such advances could delay or hinder our ability to conduct business or could compromise the integrity of our data, resulting in a material adverse impact on our financial condition and results of operations. The risk of system disruption is increased when significant system changes are undertaken. If we fail to timely integrate and update our information technology systems and processes, we may fail to realize the cost savings or operational benefits anticipated to be derived from these initiatives. We also may experience occasional system interruptions and delays that make our information technology systems unavailable or slow to respond, including the interaction of our information technology systems with those of third parties. A lack of sophistication or reliability of our information technology systems could adversely impact our operations and consumer service and could require major repairs, replacements or remodelings, resulting in significant costs.

The risk of a security breach or disruption, particularly through cyberattacks or cyber intrusion, including by computer hackers, non-U.S. governments, and cyber terrorists, has generally increased as the number, intensity, and sophistication of attempted attacks and intrusions from around the world have increased. In addition, in response to the changes in workforce habits driven by the COVID-19 pandemic, varying parts of our workforce are currently working remotely on a part or full time basis. This could increase our cyber security risk, create data accessibility concerns, and make us more susceptible to communication disruptions. We may not be able to anticipate all types of security threats, and we may not be able to implement preventive measures effective against all such security threats. The techniques used by cyber criminals change frequently, may not be recognized until launched, and can originate from a wide variety of sources, including outside groups such as external service providers, organized crime affiliates, terrorist organizations or hostile non-U.S. governments or agencies. We may also experience security incidents that may remain undetected for an extended period. Even if identified, we may be unable to adequately investigate or remediate incidents or breaches due to attackers increasingly using tools and techniques that are designed to circumvent controls, to avoid detection, and to remove or obfuscate forensic evidence. Similarly, there can be no assurance that our CROs, third-party logistics providers, distributors and other contractors, consultants and third parties will be successful in protecting our clinical and other data that is stored on their systems. Any loss of clinical trial data from our completed or ongoing clinical trials for any of our product candidates could result in delays in our development and regulatory approval efforts and significantly increase our costs to recover or reproduce the data. We and certain of our service providers are from time to time subject to cyberattacks and security incidents. We have experienced and expect to continue to experience actual and attempted cyberattacks of our IT networks, such as through phishing scams and ransomware. Although we do not believe that we have experienced any significant system failure, accident or security incidents to date, we cannot guarantee that we will not experience such incidents in the future.

Any cyberattack that leads to unauthorized access, use, or disclosure of personal information, including personal information regarding clinical trial participants or employees, data breach or destruction or loss of data could result in a violation of applicable U.S. and international privacy, data protection and other laws and regulations, require us to notify affected individuals or supervisory authorities, subject us to litigation and governmental investigations, proceedings and regulatory actions by federal, state and local regulatory entities in the United States and by international regulatory entities, cause our exposure to material civil and/or criminal liability and cause us to breach our contractual obligations, which could result in significant legal and financial exposure and reputational damages. Further, we could be forced to expend significant financial and operational resources in response to a security breach, including repairing system damage, increasing security protection costs by deploying additional personnel and modifying or enhancing our protection technologies, investigating and remediating any information security vulnerabilities and defending against and resolving legal and regulatory claims, all of which could divert resources and the attention of our management and key personnel away from our business operations and adversely affect our business, financial condition and results of operations. As cyber threats continue to evolve, we may be required to incur significant additional expenses in order to implement further data protection measures or to remediate any information security vulnerability. Further, we do not maintain separate cyber liability insurance and our general liability insurance and corporate risk program may not cover all potential claims to which we are exposed and may not be adequate to indemnify us for all liability.

There can be no assurance that the limitations of liability in our contracts would be enforceable or adequate or would otherwise protect us from liabilities or damages as a result of the events referenced above. We also cannot be certain that our existing insurance coverage will continue to be available on acceptable terms or in amounts sufficient to cover the potentially significant losses that may result from a security incident or breach or that the insurer will not deny coverage of any future claim. Accordingly, if our cybersecurity measures, and those of our service providers, fail to protect against unauthorized access, attacks and the mishandling of data by our employees and third-party service providers, then our business, financial condition, results of operations and prospects could be adversely affected.

Company Information