Item 1C – Cybersecurity

The Company recognizes the importance of developing, implementing, and maintaining cybersecurity measures to ensure the security of our information systems and networks and the confidentiality, availability, and integrity of our data.

Risk management and strategy

Turtle Beach uses a risk-based approach to cybersecurity, utilizing industry-standard frameworks and methodologies to assess and manage risks. The Company has processes for assessing, identifying, and managing material risks from cybersecurity threats. These processes have been integrated into the Company’s overall risk management processes and include an incident response plan to assess and remediate cybersecurity attacks.

The incident response plan provides guidance in identifying, assessing, investigating, remediating, and reporting any confirmed or suspected: (i) compromise of physical, network or system security; (ii) unauthorized access or acquisition of personal information or proprietary information; or (iii) material noncompliance with Company information privacy and security policies and procedures. The plan and associated processes have flexibility to ensure a tailored response based on the circumstances of the incident.

From time to time, the Company engages third party experts to assess the Company’s cybersecurity controls and processes. For example, in 2021, the Company engaged an information security consultant to conduct and external, design-focused assessment using the National Institute of Standards and Technology framework to evaluate the Company’s cybersecurity controls. The Company’s management used the assessment to assist them in evaluating the Company’s cybersecurity controls, and its Company’s policies and procedures to further align them with industry standards.

The Company also has processes to identify and oversee cybersecurity threats associated with its use of third-party service providers. These processes include diligence of third-party cybersecurity risk through SOC-2 audits and use of independent vendors who provide cybersecurity ratings.

In addition, the Company maintains an insurance policy which specifically provides coverage for qualifying information security breaches.

The Company has not experienced a material information security breach in the last five years, nor has it incurred any expenses or penalties or paid any settlements related thereto. The Company is not currently facing any cybersecurity threats reasonably likely to materially affect the Company or its business strategy, results of operations or financial condition.

Governance

Cybersecurity is an important part of the Board’s risk oversight. Although the full Board retains responsibility for cybersecurity oversight, the Audit Committee of the Board (the “Audit Committee”) has authority to immediately assess and manage a cybersecurity incident

---

if one were to occur. The Company’s senior management briefs the Audit Committee and the Board periodically on cybersecurity matters and would promptly brief the Audit Committee if a cybersecurity incident occurred.

The Company’s management has day-to-day responsibility for managing cybersecurity risks. The management team includes our Chief Financial Officer, who has cybersecurity expertise through prior leadership positions in networking and software businesses, and our Senior Director of Information Technology, who has formal data security training and certifications.

In addition to using industry-standard tools to monitor cybersecurity risks, management receives direct reporting of cybersecurity threats from our employees, who are trained annually on cyber security risks and reporting.