We have processes in place for assessing, identifying, and managing material risks from cybersecurity threats which could result in information security breaches and significant disruption to our business. We have a multi-layer security approach including specialized hardware/software, access protocols, third-party

assessments, and regular training. Our servers are hosted by a third-party that provides Service Organization Control (SOC) Type 1 and 2 reports annually with monthly bridge letters and hosts a separate disaster recovery site. Our Firewall, Virtual Private Network, Multifactor Authentication, Email Gateway, Antivirus software, file storage protection software, and other software applications help mitigate cybersecurity risks. Our IT Steering committee reviews our access protocols and systems biannually. Our third-party internal auditing firm provided an assessment of our system design and performed testing. Our IT consultant participates in our weekly operations meetings, requires cybersecurity training, and monitors the results of test phishing and credential harvesting emails.

Our board of directors has oversight of our strategic and business risk management and has delegated cybersecurity risk management oversight to the Audit Committee of our board of directors. Our Audit Committee is responsible for ensuring that management has processes in place designed to identify and evaluate cybersecurity risks to which the company is exposed and to implement processes and programs to manage cybersecurity risks and mitigate cybersecurity incidents.

Management is responsible for identifying, assessing, and managing material cybersecurity risks on an ongoing basis, establishing processes to ensure that such potential cybersecurity risk exposures are monitored, putting in place appropriate mitigation measures, maintaining our business continuity plans, IT security policies and procedures, and providing regular reports to our board of directors, including through the Audit Committee. Our IT consultant monitors the prevention, detection, mitigation, and remediation of cybersecurity incidents through a variety of software tools, and regularly reports to management.

In 2023, we did not identify any cybersecurity events that have materially affected or are reasonably likely to materially affect our business, results of operations, or financial condition. However, despite our efforts, we cannot eliminate all risks from cybersecurity threats, or provide assurances that we have not experienced undetected cybersecurity incidents. For additional information about these risks, see Part I, Item 1A, "Risk Factors" in this Annual Report on Form 10-K.