Item 1C. Cybersecurity

 

Our Board of Directors recognizes the critical importance of information security to the Company’s operational success. We continue to make substantial investments to augment the capabilities of our people, processes, and technologies in order to address our cybersecurity risks. Our cybersecurity risks are integrated into our overall risk management governance and are reviewed on at least a quarterly basis by the Audit Committee of our Board of Directors and at least annually by the full Board of Directors. The policies, processes and standards designed to mitigate those risks are based on recognized frameworks established by the National Institute of Standards and Technology, and are focused on preserving the confidentiality, security, and availability of information that the Company collects and stores. The Company takes a comprehensive approach to analyzing and mitigating cybersecurity risks, focused on preventing, identifying, mitigating, and responding to cybersecurity threats.

 

Risk Management and Strategy

 

Policies and Procedures

 

As of December 31, 2023, we have implemented a set of comprehensive cybersecurity and data protection policies and procedures. Our comprehensive information security program is based on recognized industry standards covering areas such as risk management, incident response, change management, vendor assessment, data backup, and disaster recovery. Our policies and procedures provide for the prompt escalation and communication of significant cybersecurity incidents so that Company senior management, and where appropriate, the Board of Directors, can make decisions regarding the handling, public disclosure and reporting of such incidents in a timely and effective manner.

 

Technical Safeguards

 

We invest in advanced technologies for continuous cybersecurity monitoring across our information technology environment which are designed to prevent, detect, and minimize cybersecurity attacks, as well as alert management of such attacks. These safeguards include firewalls, intrusion prevention, testing and detection tools, anti-malware functionality, software patch management, facility and infrastructure security, system change control, and access controls. Technical safeguards are evaluated and upgraded over time to address risks identified through vulnerability assessments and cybersecurity threat analysis. We have implemented processes to monitor security threats and vulnerabilities and respond to all cybersecurity incidents affecting us.

 

Testing and Assessments

 

We conduct periodic reviews and tests of Company policies, processes, and standards designed to address cybersecurity risks and incidents. These efforts include annual vulnerability and penetration testing, audits, and other measures to identify and remediate cybersecurity gaps. The Company engages third parties to perform audits and assessments on our information security control environment and operational effectiveness, including information security maturity assessments. The results of such reviews, audits, and assessments are reported to the Audit Committee and senior management, and the Company makes adjustments to its cybersecurity policies, standards and processes as necessary based on this information. The Company also retains consultants and other advisors to assist in the development and maintenance of cybersecurity and data protection policies and procedures in compliance with applicable regulations and standards.

---

 

Incident Response and Recovery Planning

 

The Company has implemented and maintains detailed incident response and backup and recovery plans designed to fully address the Company’s response to a cybersecurity incident. These plans are tested and assessed on a periodic basis.

 

Third Party Risk Management

 

The Company has implemented a vendor management procedure to identify, evaluate, and oversee cybersecurity risks posed by third parties, including vendors, service providers and external users of the Company’s information systems, as well as third party systems that collect, store or otherwise interact with Company information. The Company conducts vendor assessments to review third party security measures, as well as adherence to relevant industry information security standards.

 

Education and Awareness

 

Our employees and contractors receive regular cybersecurity awareness training, including specific topics related to social engineering and email fraud, to communicate the Company’s evolving information security policies, procedures, and standards. Employee training includes periodic phishing exercises to provide Company employees with a heightened level of awareness to cybersecurity threats, and to equip them with relevant information to prevent cybersecurity incidents.

 

Governance

 

Our Board of Directors’ Audit Committee is responsible for overseeing our cybersecurity risk management and strategy. The Company’s Director of IT Operations reports to the Audit Committee and other members of management on at least a quarterly basis on cybersecurity risks. These reports provide a comprehensive view of the Company’s cybersecurity program, including recent developments, cybersecurity strategy, ongoing assessments of the Company’s security posture and cyber threats and risks, results of third party audits and testing, policy and procedure updates, security upgrades and initiatives, risk mitigation strategies, and employee training programs. Under the Company’s cybersecurity Incident Response Plan, the Audit Committee and executive management also receive prompt information regarding any incidents that may meet established reporting thresholds, as well as ongoing updates regarding any such incident until it has been fully resolved.

 

The Company’s Director of IT Operations works collaboratively with the Chief Executive Officer (CEO), Chief Financial Officer, (CFO) and Chief Legal Officer (CLO) to implement a thorough program to assess cybersecurity risks and vulnerabilities, protect the Company’s information systems from cybersecurity threats, and respond effectively to cybersecurity incidents in accordance with the Company’s incident response and recovery plans. Through this program, the Company monitors the prevention, detection, mitigation and remediation of cybersecurity threats in real time, reporting to the Audit Committee when appropriate.

The Director of IT Operations has served in various roles in information technology and security across multiple industries for over 35 years. In addition, the Company retains qualified employees and engages consultants with significant expertise and certifications in cybersecurity relevant to our industry. The Company’s CEO, CFO, and CLO each hold degrees relevant to their respective fields, and each have over 25 years of experience managing risks at the Company and at similar companies, including risks arising from cybersecurity threats.

 

Cybersecurity Threat Disclosure

 

We are not aware of any cybersecurity threats that have materially affected or are reasonably likely to materially affect the Company’s business, results of operations, or financial condition. In the event of a future cybersecurity incident, the Company has procedures in place to identify whether the incident or associated cybersecurity risks have materially affected or are reasonably likely to materially affect the Company, to ensure that disclosures are made where required under applicable law or regulation.

 

For further discussion of cybersecurity risks, please see Item 1A, “Risk Factors”.