Item 1C. Cybersecurity.

 

We maintain a data security plan designed to provide a documented and formalized information security policy to detect, identify, classify and mitigate internal and external cybersecurity and other data security threats. This cybersecurity program is based in-part on, and its effectiveness is measured using applicable industry standards, and is included into our overall enterprise risk management program.

 

In furtherance of detecting, identifying, classifying and mitigating cybersecurity and other data security threats, we also:

 

Conducting our businesses involves the collection, storage, use, disclosure, processing, transfer, and other handling of a wide variety of information, including personally identifiable information, for various purposes in our businesses. Like other comparable-sized companies that process a wide variety of information, our information technology systems, networks and infrastructure and technology have been, and may in the future be, vulnerable to cybersecurity attacks and other data security threats. These types of attacks are constantly evolving, may be difficult to detect quickly, and often are not recognized until after they have been launched against a target. For more information about these and other cybersecurity risks faced by us, see “Risk Factors – Risks Related to Our Business and Industry – We rely on IT systems to conduct our business, and disruption, failure or security breaches of these systems could adversely affect our business and results of operations” and “– Cybersecurity attacks on or breaches of our information technology environment could result in business interruptions, remediation costs and/or legal claims”.

 

Our board of directors has ultimate oversight for risks relating to our data security plan. In addition, the board of directors has delegated primary responsibility to the Audit Committee for assessing and managing data privacy and cybersecurity risks, reviewing data security and cybersecurity policies and processes with respect to data privacy and cybersecurity risk assessment and management, reviewing steps management has taken to monitor and control such risks, and regularly inquires with our management team, internal auditors and independent auditors in

---

connection therewith. The Audit Committee is also responsible for overseeing our investigation of, and response to, any cybersecurity attacks or threats.

 

We also have a dedicated team of employees overseeing its data security plan and initiatives, led by our Director of IT, and works directly in consultation with internal and external advisors in connection with these efforts. With over fifteen years of experience in the field of cybersecurity, our Director of IT brings a wealth of expertise to his role. His background includes extensive experience in all facets of information technology and information security. His in-depth knowledge and experience are instrumental in developing and executing our cybersecurity strategies.

 

We have developed a procedure by which the board of directors and management are informed about relevant cybersecurity risks, allowing for effective cybersecurity oversight and the ability of the Company to monitor, prevent, detect, mitigate and remediate cybersecurity incidents. The results of the our evaluations and the feedback from its engagements are used to drive alignment on, and prioritization of, initiatives to enhance our cybersecurity strategies, policies, and processes and make recommendations to improve processes.

 

In the event of a potential or actual cybersecurity event, the Director of IT immediately notifies general counsel at which point the information security incident response plan is activated if warranted. The information security incident response plan provides the procedures for responding, including personnel required to be informed and updated. The board of directors is informed promptly in the event such incident is, or is reasonably expected to have, a material impact on operations or financial condition.