Item 1C. Cybersecurity

Risk Management and Strategy

We have established policies and processes designed to assess, identify, and manage material risk from cybersecurity threats, and have integrated these processes into our overall risk management systems and processes.

We routinely assess material risks from cybersecurity threats, including any potential unauthorized occurrence on or conducted through our information systems that may result in adverse effects on the confidentiality, integrity, or availability of our information systems or any information residing therein.

We monitor our environments to identify cybersecurity threats, as well as assess our environments in the event of a material change in our business practices that may affect information systems that are vulnerable to such cybersecurity threats. These risk assessments include identification of reasonably foreseeable internal and external risks, the likelihood and potential damage that could result from such risks, and the sufficiency of existing policies, procedures, systems, and safeguards in place to manage such risks.

Following our monitoring, we adjust, implement and maintain reasonable safeguards to minimize identified risks; reasonably address any identified gaps in existing safeguards; and regularly monitor the effectiveness of our safeguards. Primary responsibility for assessing, monitoring and managing our cybersecurity risks rests with our Chief Information Officer, who reports to our Chief Financial Officer, to manage any identified risks and mitigation process. As part of our overall cyber security framework, we monitor and test our safeguards and train our employees on these safeguards, in collaboration with our information technology (IT) department and management. Personnel at all levels and departments are made aware of our cybersecurity policies through ongoing training.

We engage third-party vendors in connection with our cybersecurity risk monitoring and processes. These service providers assist in our design and implementation of our cybersecurity policies and procedures, as well as to monitor and test our safeguards. We require each third-party service provider to certify that it has the ability to implement and maintain appropriate security measures, consistent with all applicable laws, to implement and maintain reasonable security measures in connection with their work with us, and to promptly report any suspected breach of its security measures that may affect our company.

We also maintain insurance coverage that is intended to address certain aspects of cybersecurity risks.

Notwithstanding any of these measures, our systems and networks remain potentially vulnerable to known or unknown cybersecurity attacks and other threats, any of which could have a material adverse effect on our consolidated results of operations, financial condition and cash flows. We have experienced, and will continue to experience, cyber incidents in the normal course of our business. As of the date of this report, we have not identified any risks from cybersecurity threats, including those from any previous cybersecurity incidents, that have materially affected us, our business strategy, results of operation or financial condition. However, there can be no assurances that a cybersecurity threat or incident that could have a material impact on us will not occur in the future. For additional information on the risks we face from cybersecurity threats, please see the risk factor titled, "If our security measures are compromised, or our information technology systems or those of our vendors, and other relevant third parties fail or suffer security breaches, loss or leakage of data, and other disruptions, this could result in a material disruption of our services, compromise sensitive information related to our business, harm our reputation, trigger our breach notification obligations, prevent us from accessing critical information, and expose us to liability or other adverse effects to our business." in Item 1A. "Risk Factors."

Governance

The Audit Committee of the Board of Directors is responsible for the primary oversight of our information security programs, including relating to cybersecurity. The Audit Committee receives status updates on at least a semi-annual basis from our Chief Information Officer on, among other things, our cyber risks and threats, the status of projects to strengthen our information security systems, assessments of our security program, and our views of the emerging threat landscape. The Chair of the Audit Committee regularly reports to the Board on cybersecurity risks and other matters reviewed by the Audit Committee. In addition, all Board members have access to the materials for each Audit Committee meeting.

Our Chief Information Officer is responsible for the oversight of our cybersecurity risks. We have implemented a security incident response plan and use this incident response framework as part of the process we employ to keep the Audit Committee and our executive management informed about cybersecurity risks and to monitor the prevention, detection, mitigation and remediation of

---

cybersecurity incidents. The plan is a set of procedures and tasks that our incident response team, under the direction of the Chief Information Officer, executes with the goal of ensuring timely identification and appropriate resolution of cybersecurity incidents. In addition, we validate compliance with our internal data security controls through the use of security monitoring tools.

Our Chief Information Officer has over 25 years of IT experience and has a thorough understanding of enterprise level cyber security framework. Our Chief Information Officer has also participated in cybersecurity reviews and implementations including various tools and platforms for over 10 years and drives strategic cyber security implementations based on industry best practices that helps us strengthen our security posture on a continuous basis.