Risk Management and Strategy

Our cyber risk management program is integrated into our overall risk oversight program, which is designed to provide executive insight across the business to identify and monitor risks, opportunities and emerging trends that can impact our operations. Cybersecurity risks are identified and assessed through such risk oversight program. We also maintain a cyber insurance policy to mitigate the costs associated with potential cyber-attacks.

We utilize internal and external cybersecurity personnel to assess, detect, identify, manage, prevent and respond to cybersecurity threats and incidents. We regularly evaluate the threat landscape and our security controls, including through assessments, regular network and endpoint monitoring, vulnerability testing and penetration testing.

Our approach to cybersecurity includes strategic partnerships for our cybersecurity platforms, documented policies and procedures, end user training and resources to manage and monitor the evolving threat landscape, including through the gathering of actionable threat intelligence. We maintain and periodically evaluate and, as needed, update our incident response plan, which describes the processes we use to prepare for, detect, respond to and recover from a cybersecurity incident, including processes to assess severity, escalate, contain, investigate and remediate an incident, as well as to comply with potentially applicable legal obligations.

We have experienced targeted and non-targeted cybersecurity incidents in the past. However, prior cybersecurity incidents have not materially affected us. Notwithstanding our cyber risk management program, we may not be successful in preventing or mitigating a cybersecurity incident that could materially affect us, including our business strategy, results of operations or financial condition. See “Risk Factors” in Item 1A for further discussion of the risks we face from cybersecurity threats.

Governance

Our cybersecurity risk management and strategy processes are led by our Corporate Manager – Information Technology. This individual is responsible for assessing and managing our material risks from cybersecurity threats and overseeing the prevention, detection, mitigation and remediation of cybersecurity incidents through the management of, and participation in, our cybersecurity risk management process described in “Risk Management and Strategy” above. He has over 27 years of work experience in various roles involving managing information and operational technology security, cybersecurity and operational technology risk management, developing cybersecurity strategy, implementing effective information technology and cybersecurity processes and procedures, and experience in managing regulatory compliance.

While management is responsible for the day-to-day management of cybersecurity risks, our Board and Audit Committee have ongoing oversight roles. Our Audit Committee is responsible for overseeing cyber and related information technology security risks, including management’s actions to identify, assess, mitigate, and remediate material cyber risks. An annual report on our enterprise risks, including cybersecurity risks, is presented to the Audit Committee and/or the full Board. The annual report includes an overall cyber risk assessment and activities and action plans to mitigate cyber risks, as well as updates on the implementation and progress of previously discussed mitigation activities and action plans. The Audit Committee continues to review cybersecurity recommendations from our information technology personnel, with input from our director with cybersecurity expertise, in an effort to mitigate the associated risks of potential cyber-attacks.