Item 1C. CYBERSECURITY

Cybersecurity Risk Management and Strategy

We maintain a team, tools, policies, and processes for identifying, assessing, and managing material risks from cybersecurity threats. Threats like malware attacks, system vulnerabilities, and data breaches are actively identified, monitored, evaluated, and mitigated along with other Company risks. Our security team maintains centralized documentation regarding known security risks and mitigation. Consideration of material risks from cyber threats is integrated into our enterprise risk management processes and is a standing agenda item for discussion at our Audit Committee meetings. An Information Security Executive Committee representing multiple areas of the Company is responsible for assessing material risks from cybersecurity threats and represents multiple functions of the business including Finance, Human Resources, Legal, and the Information Technology (“IT”) departments. We have certain employee cybersecurity awareness campaigns and training designed to help promote a culture of cybersecurity awareness throughout the organization. Cybersecurity tools, processes, policies, and controls are periodically reviewed and updated in response to changes in the business environment and evolving threats, as well as to align with broader risk management objectives.

Our information security function, led by our Chief Information Officer (“CIO”), implements and maintains the processes and controls to help identify, assess, and manage material risks from cybersecurity threats. These controls include, but are not limited to, the following Center for Internet Security (“CIS”) controls:

Supporting these controls are specific security measures that include threat intelligence monitoring, vulnerability scanning, and policy enforcement.

We use third-party service providers to assist us in identifying, assessing, and managing material risks from cybersecurity threats, including professional service firms, legal counsel, threat intelligence service providers, cybersecurity consultants, cybersecurity software providers, and forensic investigators. We have a Cybersecurity Incident Response Plan (“IRP”) that includes procedures for responding to and, to the extent applicable, disclosing material cybersecurity incidents in a timely manner. We have third-party risk management processes designed to assess risks from key vendors and suppliers, including application providers and hosting companies. Key software service providers utilized by the Company undergo a review process for security, reliability, and effectiveness. We have processes in place to address access to our network by such third parties, to the extent applicable, including network access controls designed to provide access on a ‘least privilege’ basis.

For a discussion of risks from cybersecurity threats that may materially affect the Company, see “Risk Factors” under the heading “Cybersecurity and Data Privacy Risks.” (Part I, Item 1A of this 2023 Form 10-K).

Cybersecurity Governance

Cybersecurity risk management is a part of our risk management process and is subject to oversight by our Board of Directors and management. Our Board of Directors has delegated oversight and mitigation of risks from cybersecurity threats to our Audit Committee. Our Audit Committee receives quarterly reports from either our CIO or our General Counsel concerning any significant cybersecurity threats, risks, and the tools and processes we have implemented for mitigation. Our cybersecurity risk assessment and management processes are implemented and maintained by certain members of management including the following:

---