In the ordinary course of our business, we (and third parties with whom we work) collect, receive, store, use, transfer, make accessible, protect, secure, dispose of, transmit, disclose, or otherwise process (commonly known as processing) proprietary, confidential, and sensitive data, including personal data (such as health-related data and participant study related data), intellectual property, and trade secrets (collectively, sensitive information). In addition, we rely on third-party service providers to establish and maintain appropriate information technology and data security protections, including disaster recovery and business continuity procedures, over the information technology systems they provide us to operate our critical business systems, including cloud-based infrastructure and systems, employee email, and data storage and management systems. However, except for contractual duties and obligations, we have limited ability to control or monitor third parties' safeguards and actions related to such matters, and these third parties may not have adequate information security measures in place. Furthermore, while we may be entitled to damages if our third-party service providers fail to satisfy their privacy or security-related obligations to us, any award may be insufficient to cover our damages, or we may be unable to recover such award. Most of our employees work remotely, resulting in increased risks of loss or theft of company devices as well as increased risks to our information technology systems and data, as employees utilize network connections, computers, and devices outside our premises and networks, including working at home and while in transit and in public locations. Additionally, the prevalent use of mobile devices that access our sensitive information increases the risk of security incidents.
Future or past business transactions (such as acquisitions or integrations) could expose us to additional cybersecurity risks and vulnerabilities, as our systems could be negatively affected by vulnerabilities present in acquired or integrated entities' systems and technologies. Furthermore, we may discover security issues that were not found during due diligence of such acquired or integrated entities, and it may be difficult to integrate companies into our information technology environment and security program.
Our information technology systems, including in our remote work environment, and those of the third parties with whom we work, have been in the past and may continue to be vulnerable to evolving threats. These threats are prevalent, continue to increase, and come from a variety of sources such as traditional "hackers," threat actors, "hacktivist," organized criminal threats actors, or internal bad actors, personnel (such as through theft, error or misuse), sophisticated nation states and nation-state-supported actors. These threats include, but are not limited to, social-engineering attacks, targeted phishing campaigns, malicious code or malware, unauthorized intrusions, denial-of-service attacks, personnel misconduct or errors, ransomware attacks, supply-chain attacks, software bugs, computer viruses, server malfunctions, software, hardware or data center failures, loss of data or other information technology assets, natural disasters, terrorism, war, telecommunication and electrical failures and attacks enhanced or facilitated by artificial intelligence, or AI, and other similar threats. In particular, ransomware attacks are becoming increasingly prevalent and severe and can lead to significant interruptions in operations, loss of sensitive data and income, reputational harm, and diversion of funds.
If we were to experience such an attack, extortion payments might alleviate the negative impact of a ransomware attack, but we might be unwilling or unable to make such payments due to, for example, applicable laws or regulations prohibiting such payments. Similarly, supply-chain attacks and attacks on clinical trial sites as well as regulatory and health authorities have increased in frequency and severity, and we cannot guarantee that third parties and infrastructure in our supply chain or our third-party partners' supply chains, or of clinical trial sites and regulatory and health authorities, have not been compromised or that they do not contain exploitable defects or bugs that could result in a breach of or disruption to our information technology systems or the third-party information technology systems that support us and the services provided to us, or remediate and recover compromised systems in a timely manner. For example, in February 2024, one of our service providers that processes clinical trial data experienced a security incident that resulted in certain of the service provider's information systems being unavailable for a limited period of time. Based on the service provider's forensic investigation findings that were shared with us, we believe that this incident did not have a material impact on us, our clinical trials or clinical trial participants. As another example, in March 2024, we learned about another security incident, involving another service provider, that processes personnel data for our limited number of UK personnel and directors of Geron UK Ltd. Following the service provider's forensic investigation, the service provider informed us that it did not determine the specific data involved or the incident's impact. While we believe that this incident did not have a material impact on us, out of an abundance of caution, we submitted a notification to the UK Information Commissioner's Office and notified potentially affected personnel and directors of the incident.
Any of these or similar incidents or threats may result in unauthorized, unlawful or accidental loss, corruption, access, modification, destruction, alteration, acquisition or disclosure of sensitive information, such as clinical trial data or information, intellectual property, proprietary business data and personal data. The costs to us to attempt to protect against such security incidents could be significant, including potentially requiring us to modify our business, and while we have implemented security measures, policies and procedures designed to protect our information technology systems from cybersecurity threats and to identify and remediate vulnerabilities, such measures may not be fully implemented, complied with or successful in protecting our systems and information. We may expend significant resources or modify our business activities (including our clinical trial activities) to try to protect against security incidents. We may be unable in the future to detect cybersecurity threats or vulnerabilities in our information technology systems because such threats and techniques change frequently, are sophisticated in nature, and may not be detected until after a security incident has occurred. We may also experience security breaches that may remain undetected for an extended period. Even if identified, we may be unable to adequately investigate or remediate incidents or breaches due to attackers increasingly using tools and techniques that are designed to circumvent controls, to avoid detection, and to remove or obfuscate forensic evidence. Unremediated high risk or critical vulnerabilities pose material risks to our business, particularly due to the reliance on software vendors to adequately patch and implement fixes to address critical or high-risk vulnerabilities in a timely manner. Further, we may be materially impacted by software updates applied by our software vendors if such updates cause significant downtime to our systems.
If we or third parties with whom we work experience or are perceived to have experienced a breach, we may experience material adverse consequences. These consequences may include: government enforcement actions (for example, investigations, fines, penalties, audits, and inspections), interruptions in our operations, including disruption of our commercialization and development efforts, interruptions or restrictions on processing sensitive data (which could result in delays in obtaining, or our inability to obtain, regulatory approvals and significantly increase our costs to recover or reproduce the data), reputational harm, litigation (including class action claims), indemnification obligations, negative publicity, financial loss, and other harms. In addition, such a breach may require public notification of the breach, or we may choose to voluntarily notify relevant stakeholders, or take other actions, such as providing credit monitoring and identity theft protection services, and we have done so in the past. Such disclosures are costly, and the disclosure or the failure to comply with such requirements could lead to adverse consequences.
In addition to experiencing a security incident, third parties may gather, collect, or infer sensitive information about us from public sources, data brokers, or other means that reveals competitively sensitive details about our organization and could be used to undermine our competitive advantage or market position. Additionally, sensitive information of the Company could be leaked, disclosed, or revealed as a result of or in connection with our employees', personnel's, or vendors' use of generative AI technologies.
Many of our contracts with relevant stakeholders include obligations relating to the safeguard of sensitive information, and a breach could lead to claims against us by such stakeholders. There can be no assurance that the limitations of liability in our contracts would be enforceable or adequate or would otherwise protect us from liabilities, damages, or claims relating to our data privacy and security obligations. In addition, failure to maintain effective internal accounting controls related to data security breaches and cybersecurity in general could impact our ability to produce timely and accurate financial statements and could subject us to regulatory scrutiny.