Item 1C. Cybersecurity

Cybersecurity Risk Management and Strategy

We recognize the importance of assessing, identifying, and managing material risks associated with cybersecurity threats, as such term is defined in Item 106(a) of Regulation S-K. These risks include, among other things: operational risks, intellectual property theft, fraud, extortion, harm to employees or customers and violation of data privacy or security laws.

Identifying and assessing cybersecurity risk is integrated into our overall risk management systems and processes. Cybersecurity risks related to our business, operations, privacy and compliance issues are identified and addressed through a multi-faceted approach. To defend, detect and respond to cybersecurity incidents, we, among other things: conduct proactive privacy and cybersecurity reviews of systems and applications, conduct employee training, monitor emerging laws and regulations related to data protection and information security and implement appropriate changes.

We have implemented a cybersecurity risk management program that leverages the National Institute of Standards and Technology (“NIST”) framework, which organizes cybersecurity risks into five categories: identify, protect, detect, respond and recover. We regularly assess the threat landscape and take a holistic view of cybersecurity risks, with a layered cybersecurity strategy based on prevention, detection and mitigation.

Security events and data incidents are evaluated, ranked by severity and prioritized for response and remediation. Our cybersecurity team collaborates with stakeholders across our business units to further analyze the risk to the company, and form detection, mitigation and remediation strategies. Our risk management program also assesses third-party cybersecurity risks and we perform third-party risk management to identify and mitigate risks from third parties such as vendors, suppliers, and other business partners associated with our use of third-party service providers.

We describe whether and how risks from identified cybersecurity threats, including as a result of any previous cybersecurity incidents, have materially affected or are reasonably likely to materially affect us, including our business strategy, results of operations, or financial condition, under the heading “Our business and operations would suffer in the event of computer system failures, cyber-attacks, or deficiencies in our or third parties’ cybersecurity” in our risk factor disclosures in Item IA of this Annual Report on Form 10-K.

Cybersecurity Governance

Cybersecurity is an important part of our risk management processes and an area of focus for our management. Our executive management is responsible for the oversight of risks from cybersecurity threats. Members of our board of directors receive updates from our executive management team regarding matters of cybersecurity. This includes existing and new cybersecurity risks, status on how management is addressing and/or mitigating those risks, cybersecurity and data privacy incidents (if any) and status on key information security initiatives.

Our cybersecurity risk management and strategy processes are overseen by leaders from our information security, compliance and legal teams. These individuals are informed about, and monitor the prevention, mitigation, detection and remediation of cybersecurity incidents through their management of, and participation in, the cybersecurity risk management and strategy processes described above, including the operation of our incident response plan, and report to our board of directors on any appropriate items.