Item 1C. Cybersecurity.

 

Cybersecurity Risk Management and Strategy

 

We have implemented a cybersecurity risk management program intended to protect the confidentiality, integrity, and availability of our critical systems and information. Our cybersecurity risk management program is an element of and is integrated into our overall enterprise risk management program. Our framework is informed in part by the National Institute of Standards and Technology (NIST) Cybersecurity Framework and International Organization for Standardization 27001 (ISO 27001) Framework, although we have not been audited to, and may not be in compliance with, all technical standards, specifications or requirements under the NIST or ISO 27001 frameworks. Our cybersecurity risk management program includes:

 

	●	risk assessments designed to help identify material cybersecurity risks to our critical systems, information, products, services, and our broader enterprise information technology (“IT”) environment;
	●	a security team that is principally responsible for managing (1) our cybersecurity risk assessment processes, (2) our security controls, and (3) our response to cybersecurity incidents;
	●	the use of external service providers, where appropriate, to assess, test, or otherwise assist with aspects of our security controls;
	●	cybersecurity awareness training for our employees, incident response personnel, and senior management;
	●	assessment of material cybersecurity risks posed by third-party service providers, including risks to employee, customer and financial information; and
	●	a cybersecurity incident response protocol that includes procedures for responding to cybersecurity incidents.

 

We have been, and expect to continue to be, subject to cybersecurity risks and incidents related to our business. To date, such risks and incidents have not materially affected our business strategy, results of operations or financial condition. For more information about the cybersecurity risks we face, see Item 1A – Risk Factors.

 

Cybersecurity Governance

 

Our Board considers cybersecurity risk as part of its enterprise risk management oversight function. This oversight includes periodic reports from management, including our Vice President of IT, concerning cybersecurity related risks.

 

Our management team, including our Vice President of IT, is responsible for assessing and managing risks from cybersecurity threats. Our Vice President of IT has extensive information technology and program management experience, including broad experience in corporate and consulting environments across of range of organizations and industries. Where appropriate, she engages external cybersecurity consultants to assist with cybersecurity related matters. Our management team has primary responsibility for our overall cybersecurity risk management program and, under the leadership of our Vice President of IT, supervises both our internal personnel and external cybersecurity consultants. This includes efforts to prevent, detect, mitigate, and remediate cybersecurity risks. These efforts employ information from various sources, such as security tools deployed in our IT environment, internal personnel, external security consultants, and governmental sources.

 

Back SEC Filing Thank you for subscribing