Item 1C. Cybersecurity.

Cybersecurity Risk Management and Strategy

We recognize the critical importance of safeguarding our information systems and data against evolving cybersecurity threats. Our program is based on the National Institute of Standards and Technology Cybersecurity Framework (NIST CSF). This does not imply that we meet any particular technical standards, specifications, or requirements, only that we use the NIST CSF as a guide to help us identify, assess, and manage cybersecurity risks relevant to our business.

To protect our information systems from cybersecurity threats, we use various security tools that help prevent, identify, escalate, investigate, resolve, and recover from identified vulnerabilities and security incidents in a timely manner. These include, but are not limited to, preventative tools and technologies, monitoring and detection tools, and regular backup protocols. Additionally, we regularly engage external auditors and consultants to assess our internal cybersecurity programs and compliance with applicable practices and standards. The results of these assessments are reported to the Audit Committee.

We assess risks from cybersecurity and technology threats and monitor our information systems for potential vulnerabilities. We use a widely adopted risk quantification model to identify, measure and prioritize cybersecurity and technology risks and develop remediation or mitigation controls and safeguards. We conduct regular reviews and tests of our information security program including penetration and vulnerability testing to evaluate the effectiveness of our information security program and improve our security measures and planning.

Our cybersecurity risk management program includes:

There can be no assurance that our cybersecurity risk management program and processes, including our policies, controls, or procedures, will be fully implemented, complied with or effective in protecting our systems and information.

We have not identified risks from known cybersecurity threats, including as a result of any prior cybersecurity incidents, that have materially affected or are reasonably likely to materially affect us, including our operations, business strategy, results of operations, or financial condition.

Cybersecurity Governance

Cybersecurity is an important part of our risk management processes and an area of focus for our Board and management. Our Audit Committee is responsible for the oversight of risks from cybersecurity threats. Members of the Audit Committee receive updates on a quarterly basis from senior management, including leaders from our Information Security and Legal teams regarding matters of cybersecurity. This includes existing and new cybersecurity risks, status on how management is addressing and/or mitigating those risks, cybersecurity, and data privacy incidents (if any) and status on key information security initiatives.

Our management team, including the Director of IT Security, is responsible for assessing and managing our material risks from cybersecurity threats. The team has primary responsibility for our overall cybersecurity risk management program and supervises both

---

our internal cybersecurity personnel and our retained external cybersecurity consultants. Our management team’s experience includes over 20 years of Information Security experience, including serving in similar roles leading and overseeing cybersecurity programs at other public companies.

Our management team supervises efforts to prevent, detect, mitigate, and remediate cybersecurity risks and incidents through various means, which may include briefings from internal security personnel; threat intelligence and other information obtained from governmental, public, or private sources, including external consultants engaged by us; and alerts and reports produced by security tools deployed in the IT environment.