10-K Filing Date: March 08, 2024

To combat the ever-present cyber risks, the Company maintains a comprehensive cybersecurity program, which includes ongoing employee training, annual risk assessments and a comprehensive cybersecurity environment meant to detect, prevent, and limit unauthorized or harmful actions across our information technology environment. We operate in the medical device sector, which is subject to various cybersecurity risks that could adversely affect our business, financial condition, and results of operations, including intellectual property theft; fraud; extortion; harm to employees or customers; violation of privacy laws and other litigation and legal risk; and reputational risk. We have implemented a risk-based approach to identify and assess the cybersecurity threats

that could affect our business and information systems and partner with a third-party hosted provider. Our cybersecurity program is aligned with industry standards, such as the National Institute of Standards and Technology (“NIST”) Cybersecurity Framework. We use various tools and methodologies to manage cybersecurity risk that are tested on a regular cadence. We also monitor and evaluate our cybersecurity performance on an ongoing basis through regular vulnerability scans, penetration tests and threat intelligence feeds. We require third-party service providers with access to personal, confidential, or proprietary information to implement and maintain comprehensive cybersecurity practices consistent with applicable legal standards.

Our VP of Information Technology has expertise in the following areas which assist in assessing and managing applicable cybersecurity risk: 36 years of IT experience including endpoint detection, security, incident management and response, vulnerability management and response, event management and response, and network security segmentation. The VP of Information Technology provides regular reports on ongoing risk and mitigation practices to our COO and CFO, who then reports to the Board. Our incident response policy, which is updated from time to time, provides that management reports to the Board in the event of any detected material incident and regularly updates them on the mitigation and remediation steps being taken in connection with the Company’s response.

The Board considers cybersecurity risks in business strategy by getting updates on cybersecurity risk assessment. It assesses the experience of management personnel responsible for preventing, mitigating, detecting, and remediating any cyber incidents, including the VP of Information Technology as well as third-party providers. The Company has not experienced any cybersecurity threats, including as a result of any previous cybersecurity incidents, that have materially affected the Company, including its business strategy, results of operations or financial condition.

In 2023, we upgraded our enterprise resource planning system to enhance operating efficiencies and provide more effective management of our business operations. The upgrade was substantially completed in the third quarter of 2023. The upgrade included training of personnel, migration of data, and maintaining effective internal controls.