ITEM 1C. CYBERSECURITY

Risk Management and Strategy

Our information security program covers a range of cybersecurity activities with a primary objective of maintaining the confidentiality, integrity, and availability of information for our business and customers. The program and our systems are designed to identify and mitigate information security risks and data privacy breaches. Our risk mitigation processes include a cybersecurity incident response plan that is exercised regularly with tabletop exercises, security awareness training with attack simulations to reinforce the training, cybersecurity risk assessment integrated with technology acquisition processes and utilization of third-party partnerships for threat intelligence, incident response and escalation, and attack surface monitoring.

We measure our security performance against the International Organization for Standardization 27001 Framework and Enterprise Risk Management strategies. We implement policies and practices to mitigate risks to organization data and operational processes.

Our Global Data Privacy Program continues to align with environmental, social, and corporate governance standards and considers both risks and benefits of privacy-driven spending. The program operating model is based on the General Data Protection Regulation, which is adjusted for specific local requirements. The operating model is scalable to manage strategic, operational, legal, compliance, and financial risks and benefits, and uses technology to automate portions of the program, such as data subject access requests and consent and preference management.

Our membership on the Data Privacy Board, a group comprised of some of the world’s largest companies with a mission to help members engage in confidential, leader-level discussion, presents opportunities using unbiased benchmarking and support from peers in various industries. We continue to build privacy resilience across international operating environments.

We work with third-party vendors to enhance our processes against the occurrences and impact of unauthorized access to our network, computers, programs, and data. Risk is inherent in risk management and strategy for cybersecurity. See “Risk Factors” in Part I, Item 1A in this report for further discussion.

Governance

The Board of Directors has oversight responsibility for cyber risks affecting the Company. The Board has delegated risk oversight with respect to operational, compliance, and financial matters, including cybersecurity and information technology risk, to the Audit Committee.

Our Director of Security has extensive experience implementing and managing cybersecurity policies including oversight of investments in tools, resources, and processes that allows for the continued maturity of our cybersecurity program. Team members who support our information security program have relevant educational and industry experience. Our CEO, Chief Financial Officer, and Audit Committee receive regular reports provided by our Director of Security on the Company’s risk and compliance with respect to cybersecurity matters including data privacy, incidents, and industry trends, along with prevention, detection, mitigation, and remediation of cyber incidents.