93

A majority of our IT systems are built on services provided by third parties. For example, we leverage commonly used foundational

technologies provided by third parties, such as secure messaging gateways, enforced drive encryption and multi-factor authentication.

Our choice of tools is shaped by these providers’ reputations and the outcomes of our internal evaluation process. We have

implemented a risk management process designed to mitigate cybersecurity risks that arise from utilizing servicesprovided by third

parties and regularly review the performance of these vendors and monitor for any adverse developments which may impact our own

security posture. Our control over and ability to monitor the security posture of third parties with whom we do business remains

limited and there can be no assurance that we can prevent, mitigate or remediate the risk of any compromise or failure in the security

infrastructure owned or controlled by such third parties. Additionally, any contractual protections with such third parties, including our

right to indemnification, if any at all, may be limited or insufficient to prevent a negative impact on our business from any such

compromise or failure.

Employees and contractors are given cybersecurity awareness training as part of their on-boarding process. We also maintain an

organizational IT and Security Policy which includes an Acceptable Use Policy that provides detailed guidelines on proper resource

use and personal behavior. Werequire written acknowledgment of the latter document by all employees and contractors. All policies

are regularly reviewed and updated to keep in line with industry developments and organizational changes. Employees and contractors

across all departments are encouraged to report any concerns or suspicions to the IT department, who then investigatesand

recommends appropriate actions.

Our board of directors has overall responsibility for oversight of our risk management policies and procedures. Its audit committee

(the “Audit Committee”) is responsible for ensuring that management has processes in place designed to identifyand evaluate

cybersecurity risks to which we are exposed and implement processes and programs to manage them and mitigate andremediate any

incidents. The audit committee also reports material cybersecurity risks to our full board of directors on an as-needed basis, but no less

than annually.

Routine oversight of cybersecurity risk management is delegated by the Audit Committee to our Chief Legal, Compliance and

Administrative Officer. The IT department, reporting directly to this Officer, is responsible for managing the cybersecurity risk

management program and is responsible for identifying, considering and assessing potentially material cybersecurity risks on an

ongoing basis, establishing processes to ensure that potential cybersecurity risk exposures are monitored, putting in place appropriate

mitigation measures and reporting to executive leadership about evolving issues. The Chief Legal, Complianceand Administrative

Officer,in turn, updates the Audit Committee and board of directors of any related incidents or threats that are being addressed.

The IT department's personnel have extensive backgrounds in IT operations in similar environments and each team member has had

experience managing cybersecurity issues.We have access to external advisors in connection with our cybersecurity risk management

program should additional expertise be required to manage cybersecurity incidents or risk.

In 2023, we did not identify any cybersecurity threats or incidents that materially affected or are reasonably likely to materially affect

our business strategy, results of operations, or financial condition. However, despite our efforts, we cannot eliminate all risks from

cybersecurity threats or incidents or provide assurances that we have not experienced an undetected cybersecurity incident. For more

information about these risks, please see “Risk Factors – Risks Related to Our Business and Industry” in this annual report on Form

10-K.