We maintain a cyber risk management program designed to identify, assess, manage, mitigate, and respond to cybersecurity threats. An analysis of the impact, likelihood, and management preparedness of cybersecurity threats to our strategic priorities is part of our risk management process. The underlying controls of the cyber risk management program are based on recognized best practices and standards for cybersecurity and information technology, including the National Institute of Standards and Technology (“NIST”) Cybersecurity Framework (“CSF”) and the Center for Internet Security (“CIS”) Critical Security Controls.

We partner with leading cybersecurity companies and organizations to enhance our cybersecurity infrastructure, leveraging third-party technology and expertise to monitor and optimize the performance of deployed products and services. We also engage with third party firms to help identify, assess, and manage cybersecurity risks in alignment with cybersecurity standards and best practices. We use a third-party provider to supplement the continuous monitoring of our cybersecurity environment and to help coordinate the investigation and remediation of events. Our incident response plan documents the procedures for assessing and managing cybersecurity events, including steps for identifying the nature of a cybersecurity threat (including whether the threat is associated with a third-party provider), as well as assessing the severity of a cybersecurity threat. Our incident response team includes executives, and any material cybersecurity events are reported to our Board. In addition, employees are provided with online training courses to build awareness around potential cybersecurity scams and are tested periodically to maintain their focus in this important area.

The information technology group has decades of experience selecting, deploying, and operating cybersecurity technologies, initiatives, and processes. The group reports to our Chief Financial Officer. Our cybersecurity manager, who has held roles in security, infrastructure management, and enterprise information technology management, is responsible for assessing and managing the cyber risk management program, informs senior management regarding the prevention, detection, mitigation, and remediation of cybersecurity incidents and supervises such efforts.

The Audit Committee of our Board oversees our cybersecurity risk program and receives regular presentations from management regarding the Company’s efforts to monitor and mitigate cybersecurity risks. In addition, cybersecurity risks are reviewed by our Board, at least annually.

We face risks from cybersecurity threats that could have a material adverse effect on our business, financial condition, results of operations, cash flows or reputation. We have experienced, and will continue to experience, cyber incidents in the normal course of our business. However, prior cybersecurity incidents have not had a material adverse effect on our business, financial condition, results of operations, or cash flows. – See Item 1A. Risk Factors – “We are subject to cybersecurity risks. A cyber incident could occur and result in information theft, data corruption, operational disruption and/or financial loss.” for more information about these and other risks related to information security.