Cybersecurity Risk Management and Strategy

We rely on information systems and the data stored on them to conduct our operations. As such, we have implemented processes designed to mitigate risks posed by cybersecurity threats.

Our approach to cybersecurity risk management is multi-faceted and includes, but is not limited to, engaging third-party information technology and cybersecurity providers and consultants for support as appropriate, including to conduct annual penetration testing and cybersecurity risk assessments, as well as other vulnerability analyses on a periodic basis. We also utilize a third-party to implement and manage automated tools designed to conduct ongoing monitoring for potential critical risks from cybersecurity threats. Additionally, we have implemented an employee education and training program, offered during onboarding and on an ongoing, periodic basis thereafter, that is designed to raise awareness of cybersecurity threats. As part of this employee training, we engage in periodic phishing simulations designed to raise employee awareness of such risks.

We maintain processes to inform and update management and, as needed, the audit committee, regarding security incidents that may pose a significant risk for the business, as applicable. We have not identified any cybersecurity incidents or threats that have materially affected us or are reasonably likely to materially affect us, including our business strategy, results of operations or financial condition; however, like other companies in our industry, we and our third-party vendors have experienced threats and security incidents relating to our and our third-party vendors’ information systems. For more information, please see “Item 1A, Risk Factors.”

Governance

Our Director of Information Technology, who reports directly to our Chief Financial Officer, is responsible for the day-to-day management of our cybersecurity risk management processes. The Director of Information Technology role is currently held by an individual who has thirty years of information technology and cybersecurity experience.

Our audit committee is responsible for overseeing our cybersecurity risk management program. Our Director of Information Technology and/or Chief Financial Officer periodically update the audit committee on cybersecurity risks and mitigation strategies and related cyber matters. In the event of a cybersecurity incident, we have implemented processes for the Director of Information Technology and/or the Chief Financial Officer to discuss incident response strategies with the audit committee. The Director of Information Technology and/or the audit committee update the full board of directors on matters relating to cybersecurity risk management and critical cybersecurity risks as appropriate.