Risk Management and Strategy

The Company recognizes the critical importance of developing, implementing, and maintaining robust cybersecurity measures to safeguard our information systems and protect the confidentiality, integrity, and availability of our data. We have developed the following processes as part of our strategy for assessing, identifying, and managing material risks from cybersecurity threats.

Managing Material Risks & Integrated Overall Risk Management

Information technology is important to our business operations and we are committed to protecting the privacy, security and integrity of our data, as well as our employee and customer data. This program is integrated into the Company’s overall enterprise risk management process.

We monitor and update our information technology networks and infrastructure to prevent, detect, address and mitigate risks associated with unauthorized access, misuse, computer viruses and other events that could have a security impact. Additionally, to protect and secure sensitive data such as customer information, we employ multi-factor authentication, a suite of security tools, systems monitoring and alerting, audit logs, and controls across our major systems, corporate devices, and business processes. Our cybersecurity process is designed to assess, identify, prevent, and manage cybersecurity risks and threats, as well as identify, contain and respond to cybersecurity incidents. This process includes a variety of activities, such as company-wide security awareness training, including regular phishing simulations, acceptable use training, self-assessments, and other targeted training throughout the year as appropriate. These cybersecurity trainings provide employees the opportunity to gain an understanding of the various forms of cybersecurity incidents and enable our employees to handle and report any suspicious activity or threat.

To date, our approach to cybersecurity has been effective in protecting the confidentiality, integrity, and availability of our information; however, we cannot guarantee that its efforts will be successful in preventing all cybersecurity incidents. Further, we currently maintain a cyber insurance policy that provides coverage for security breaches; however, such insurance may not be sufficient in type or amount to cover us against claims related to security breaches, cyber-attacks and other related breaches.

Engaging Third-parties on Risk Management

Recognizing the complexity and evolving nature of cybersecurity threats, we leverage the expertise of a managed service provider, and when warranted will engage with independent third parties in evaluating and testing our risk management systems. These service providers enable us to leverage specialized knowledge and insights, ensuring our cybersecurity strategies meet generally accepted industry best practices. Our Chief Information Officer also performs ongoing review of current practices to further ensure cybersecurity.

Overseeing Third-Party Risk

Because we are aware of the risks associated with third-party service providers, we implement processes to oversee and manage these risks. We conduct thorough security assessments of all third-party providers before engagement and maintain ongoing monitoring to ensure compliance with our cybersecurity standards. The monitoring includes regular assessments by our Chief Information Officer. This approach is designed to mitigate risks related to data breaches or other security incidents originating from third parties.

Risks from Cybersecurity Threats

We have not encountered cybersecurity challenges that have materially affected or are reasonably likely to materially affect us, including our business strategy, results of operations, or financial condition.

Governance

Board of Directors Oversight

Our board of directors oversees the management of risks associated with cybersecurity threats.

Management’s Role Managing Risk

The Company’s Chief Information Officer is primarily responsible for assessing, monitoring and managing our cybersecurity risks. The Chief Information Officer must ensure that all industry standard cybersecurity measures are functioning as required to prevent or detect cybersecurity threats and related risks. The Chief Information Officer provides briefings on cybersecurity threats and related risks to the Chief Executive Officer on a regular basis. Our Chief Information Officer has had responsibility over cybersecurity, data privacy and classification, incident response, disaster recovery, and business continuity in a number of positions in the field of information technology. The Chief Information Officer oversees and tests our compliance with standards, remediates known risks, and leads our employee training program.

Monitoring Cybersecurity Incidents

The Chief Information Officer is continually informed about the latest developments in cybersecurity, including potential threats and innovative risk management techniques. The Chief Information Officer implements and oversees processes for the regular monitoring of our information systems. This includes the deployment of industry-standard security measures and regular system audits to identify potential vulnerabilities. In the event of a cybersecurity incident, the Chief Information Officer will implement an incident response plan. This plan includes immediate actions to mitigate the impact and long-term strategies for remediation and prevention of future incidents.

Reporting to Board of Directors

Significant cybersecurity matters, and strategic risk management decisions, will be escalated to the board of directors.