ESSA’s business and operations could suffer in the event of an actual or perceived information security incident such as a cybersecurity breach, system failure, or other compromise of its systems and/or information, including information held by a third-party contractor or vendor.
ESSA relies on both internal information technology systems and networks, and those of third-party vendors and contractors including, but not limited to, ESSA’s CROs, collaborators, contractors or consultants, to acquire, transmit, store and otherwise process information in connection with its business activities. ESSA’s ability to effectively manage its business depends on the security, reliability and adequacy of its and its third-party vendors’ and collaborators’ technology systems. Any incident, whether hostile or inadvertent, that adversely impacts the confidentiality, integrity or availability of its systems and/or data, including phishing, business email compromise, social engineering, ransomware or other malware, or any security breach, security incident or other destruction, loss, or unauthorized use or other processing of data maintained or otherwise processed by ESSA or on its behalf could result in a loss of intellectual property or misappropriation of trade secrets, disruptions to its business and operations, subject it to increased costs and require it to expend time and resources to address the matter, may subject it to claims, demands, and proceedings by private parties, regulatory investigations and other proceedings, and fines, penalties, and other liability and have a material adverse effect on ESSA’s business. In addition, the loss, alteration or other damage to or other unavailability of preclinical data or clinical trial data from completed or ongoing clinical trials for ESSA’s planned product candidates could result in delays in its development and regulatory approval efforts and significantly increase its costs to recover or reproduce the data. Any cyber-attack, security breach or incident, or other destruction, loss or unauthorized processing of data maintained or otherwise processed by ESSA or on its behalf, or the perception any such matter has occurred, could result in actual or alleged violations of applicable U.S. and international privacy, data protection, information security and other laws and regulations, harm ESSA’s reputation and subject it to litigation and governmental investigations and proceedings by federal, state and local regulatory entities in the U.S. and by international regulatory entities, resulting in exposure to material civil and/or criminal proceedings and liability. In addition, ESSA may incur significant additional expense to implement further measures relating to privacy, data protection and information security, whether in response to an actual or perceived security breach or incident or otherwise.
To date, ESSA has not experienced any material impact to its business, financial position or operations resulting from cyberattacks or other information security incidents; however, because of frequently changing attack techniques, along with the increased volume and sophistication of such attacks, ESSA’s business, financial position or operations could be adversely impacted in the future. Moreover, the increasingly distributed nature of computing, including prevalent use of mobile devices to access confidential information and widespread use of cloud-based applications hosted in remote data centers, increases the risk of security breaches and incidents. These risks may be heightened due to the increasing number of ESSA’s and its third-party vendors’ and collaborators’ personnel working remotely. As cyber threats continue to evolve, ESSA may be required to expend significant additional resources to continue to modify or enhance its protective measures or to investigate and remediate information security vulnerabilities, threats and incidents. While ESSA has implemented layered security measures, its computer systems and the external systems and services used by its third-party CMOs and CROs and their vendors and contractors remain potentially vulnerable to these events and there can be no assurance that ESSA will be successful in preventing cyber-attacks or successfully mitigating their effects. ESSA’s insurance policies may not be adequate to compensate ESSA for the potential loss arising from such incidents or security breaches. In addition, such insurance may not be available to ESSA in the future on economically reasonable terms, or at all. Further ESSA’s insurance may not cover all claims made against ESSA and could have high deductibles in any event, and defending a suit, regardless of its merit, could be costly and divert management attention. While ESSA has invested in the protection of data and information technology, there can be no assurance that ESSA’s efforts, or those of ESSA’s third-party collaborators, if any, to implement adequate security and quality control measures for data processing would be sufficient to protect against data deterioration or loss in the event of a system malfunction, or to prevent data from being stolen or corrupted in the event of a security breach.
Business disruptions could seriously harm ESSA’s future revenues and financial condition and increase costs and expenses.
ESSA’s operations and the operations of third parties whom ESSA depend upon, could be subject to earthquakes, power shortages, telecommunications failures, water shortages, floods, hurricanes, typhoons, fires, extreme weather conditions, medical epidemics and other natural or manmade disasters or business interruptions, for which ESSA is predominantly self-insured. Although ESSA carries insurance for earthquakes and other natural disasters, ESSA may not carry sufficient