ITEM 1C. CYBERSECURITY

 

Cybersecurity risks are a growing threat to us and other businesses, including our ERP and other third-party providers, which are vulnerable to cyberattacks, malware, and other system failures that may result in unauthorized access, damage, and other harms to our business or reputation. Protecting the confidentiality, integrity, and availability of our business information, intellectual property, customer, patient and employee data, and technology systems is critical to our business and operations, ability to comply with regulatory requirements, and reputation.

 

Accordingly, Cybersecurity is an important and integrated part of the Company’s enterprise risk management function that identifies, monitors, and mitigates business, operational, and legal risks.

 

Accordingly, we have established Cybersecurity standards, policies, and operating procedures, for the purpose of implementing information protection processes and technologies; carrying out Cybersecurity risk detection, identification, assessment, response, and monitoring; assigning responsibility within our organization for risk detection and oversight; implementing Cybersecurity training; governing internal communications regarding Cybersecurity risks; and making required public and regulatory disclosures regarding Cybersecurity threats and incidents. We oversee risks from Cybersecurity threats associated with our use of third-party service providers by requiring our vendors to agree that they have and will maintain appropriate Cybersecurity controls, such as through standard contractual provisions, and by coordinating with key vendors with respect to integration with our systems. Our Cybersecurity risk management program is based on the National Institute of Standards and Technology (“NIST”) framework.

 

Key components of our Cybersecurity risk management program include the use of third-party service providers, as appropriate, to assess, test, or otherwise assist with aspects of our security processes. For example, we employed a third-party cyber risk consultant to assess our overall Cybersecurity risk framework against NIST standards. We have also engaged third-party experts to perform penetration testing of our IT systems, and we have considered the results of such tests to enhance our Cybersecurity systems and controls, as appropriate.

 

Our management, including leaders from our IT, information security, legal, and compliance teams, is responsible for implementing our Cybersecurity standards, policies, and operating procedures, under the ultimate oversight of our Chief Financial Officer. We regularly discuss and assess Cybersecurity risks.

 

Our Audit Committee assists our Board in overseeing Cybersecurity risk management and the integrity of our information technology systems, processes, and data. Periodically, the Audit Committee reviews and discusses with management, and, in its discretion, third party vendors or other external experts, the adequacy of security for our information technology systems, processes, and data; our incident response and contingency plans in the event of a breakdown or security breach affecting the security of our information technology systems or data or the information technology systems, processes, and data of our clients; and any new threats or incidents that have or may impact us. The Audit Committee receives reports on the operation of such programs from the Chief Financial Officer as appropriate. The Audit Committee also reviews management reports regarding the evolving threat environment, vulnerability assessments, and specific Cybersecurity incidents. Periodically, the Audit Committee reports on Cybersecurity matters, incidents, and risk oversight to the Board.

 

Although we have not experienced a cyberattack or other Cybersecurity incident that has materially affected us, we cannot guarantee that we will not experience Cybersecurity incidents that may have a material effect on us in the future. We may not be able to protect our systems and networks, or the confidentiality of our confidential or other information (including personal information), from cyberattacks and other unauthorizedaccess, disclosure, and disruption.