Risk Management and Strategy

We have certain processes and policies in place to assess, identify and manage material cybersecurity risks. We also periodically monitor and test our information systems for potential vulnerabilities. We use various tools designed to help identify, investigate and resolve cybersecurity incidents, and to help recover from them in a timely manner. These processes, policies and tools comprise our cybersecurity risk program, and are integrated into our overall risk management program.

We have an Information Technology Policy that sets parameters for the use, privacy, security, retention, and disposal of our information and other assets. We also have an Incident Response Policy which sets forth the steps for assessment, containment, and disclosure of cybersecurity threats. These policies were prepared using relevant guidance and technology standards and are reviewed periodically.

We collaborate with third parties to assess the effectiveness of our cybersecurity risk program and have assessed it against the National Institute of Standards and Technology (“NIST”) cybersecurity framework. In addition, we consider the internal risk oversight programs of third-party service providers with whom we engage in order to help protect us from any related cybersecurity vulnerabilities.

Under our cybersecurity risk program, we provide all of our employees with periodic cybersecurity training, which covers timely and relevant topics, including social engineering, phishing, password protection, confidential data protection, asset use and mobile security, and educates employees on the importance of reporting all incidents immediately.

Although we are subject to cybersecurity risks, to date, none have materially affected our company, including our business strategy, results of operations, or financial condition. Notwithstanding our cybersecurity risk program, we may not be successful in preventing or mitigating a cybersecurity incident that could have a material adverse effect on our company. See Item 1A. “Risk Factors” for a discussion of cybersecurity risks.

Governance

Our board of directors oversees our risk management process directly and through its committees. The audit committee of our board of directors has the power and responsibility to coordinate our board’s oversight over our risk management procedures and to discuss with our management our policies with respect to risk assessment and risk management. Our board of directors has delegated to its audit committee oversight authority of our information security (including cybersecurity) risk management.

Primary responsibility for assessing, monitoring and managing our cybersecurity risks rests with our Senior Director, Human Resources & Infrastructure, who together with our Chief Financial Officer and General Counsel, work in close partnership with our outside information technology and cybersecurity consulting firm, and collectively, comprise the core team members of our Rapid Response Team under our Incident Response Policy. The Rapid Response Team is made up of a broad range of participants with relevant education, skills, and experience to investigate cybersecurity threats and assess the materiality thereof to determine internal reporting to our audit committee and board of directors, as well as external reporting or disclosure requirements. Management provides at least quarterly updates to the audit committee, and in turn management and the audit committee provide periodic updates to our board of directors, regarding ongoing cybersecurity risk assessments and related activities.